Passive Data Link Layer 802'11 Wireless Device Driver Fingerprinting - PowerPoint PPT Presentation

About This Presentation
Title:

Passive Data Link Layer 802'11 Wireless Device Driver Fingerprinting

Description:

D-Link driver. D-Link DWL-G520 PCI Wireless NIC. Cisco driver ... drivers from Apple, Cisco, D-link, Intel, Linksys, Madwifi, Netgear, Proxim, and SMC ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 23
Provided by: par6160
Category:

less

Transcript and Presenter's Notes

Title: Passive Data Link Layer 802'11 Wireless Device Driver Fingerprinting


1
Passive Data Link Layer 802.11 Wireless Device
Driver Fingerprinting
  • Jason Franklin, Damon McCoy, Parisa Tabriz,
    Vicentiu Neagoe, Jamie Van Randwyk, Douglas
    Sicker

2
Be Pessimistic!
  • Today, we take a glass is half-empty view of
    device driver security.
  • We present a fingerprinting technique for 802.11
    device drivers under the premise that wireless
    device drivers are and will remain vulnerable.

Half-empty
3
Outline
  • Motivation
  • 802.11 and all that jazz
  • Fingerprinting Approach
  • Evaluation
  • Preventative Measures
  • Wrap up

4
Motivation
  • 802.11 is everywhere.
  • Coffee shops, airports, homes, businesses, here!
  • Full-city coverage (San Francisco, London,
    Chicago)
  • Driver-specific exploits are an emerging threat.
  • Drivers are complex, numerous, buggy, and usually
    NOT easy to externally interact with.
  • Wireless drivers, however, are externally
    accessible.
  • 802.11 driver exploits already exist.
  • New APIs for 802.11 packet generation will make
    writing exploits easier.

5
802.11 Basics
Station Device with wireless capabilities
(laptop, PDA, etc.)
Access Point Device that acts as a communication
hub for wireless devices connected to a wireless
LAN
Wireless Frame Unit of data at data-link layer
6
Fingerprinting
  • What is fingerprinting?
  • Process by which a target object is identified by
    its externally observable characteristics

7
Device Driver Fingerprinting
  • Utility of fingerprinting
  • Intrusion detection detecting MAC address
    spoofing
  • Network forensics narrow or verify source of
    network event or security incident
  • Reconnaissance targeted attacks
  • Why not use the MAC Address?
  • MAC address is one way to identify a NIC
    manufacturer
  • Easy to change (spoof) to another legitimate,
    copied, or fictitious MAC

8
802.11 Active Scanning
  • A station sends probe request frames when it
    needs to discover access points in a wireless
    network. This process is known as active
    scanning.
  • The IEEE 802.11 standard specifies active
    scanning as
  • For every channel
  • Broadcast probe request frame
  • Start channel timer, t
  • If t reaches MinChannelTime AND current channel
    is IDLE
  • Scan to the next channel
  • Else
  • Wait until t reaches MaxChannelTime
  • Process probe response frames from current
    channel
  • Scan to the next channel
  • The remaining details of this process
    implementation are determined by wireless driver
    authors

9
Intuition
  • As you may have guessed, we distinguish drivers
    based on unique active scanning!

10
Fingerprinting Approach
REQ
REQ
REQ
Driver signature
11
Outline of Method
  • Supervised Bayesian Classification
  • Create tagged signatures (Bayesian Models)
  • 17 different device drivers
  • 12 hour traffic traces
  • Capture traffic trace for an unidentified driver
  • Compare how close the unidentified trace is to
    every tagged signature and identify based on
    nearest match

12
Signature Generation
  • Driver signatures are based on the delta arrival
    time between probe requests.
  • Signatures are obtained via binning with an
    empirically tuned and fixed bin width.
  • Record the percentage of probe requests placed in
    each bin
  • Record the average, for each bin, of all actual
    (non-rounded) delta arrival time values in that
    bin
  • Generate a vector initialized with these
    parameters as the signature for that driver

Windows Engenius driver signature.
13
Identification
  • Calculate how close the trace is to every known
    driver signature using distance metric
  • Trace is identified as having the driver with the
    signature that is the closest according to our
    metric

14
Factors that Effect Probing
  • Association status
  • Associated to an access point
  • Unassociated
  • Driver management
  • Managed by Windows
  • Managed by NIC vendor drivers

15
Experimental Setup
  • The fingerprinter Pentium 4 running Linux with a
    Cisco Aironet a/b/g wireless card
  • The victims 17 different wireless drivers,
    including drivers from Apple, Cisco, D-link,
    Intel, Linksys, Madwifi, Netgear, Proxim, and SMC
  • The signature database 31 unique driver
    signatures with tags and signature of the format
  • driver assoc-status manager (bin, in bin,
    mean)

16
Experimental Setup
  • Test set 1, Master Signature Database (Lab)
  • No background traffic
  • No obstructions
  • Test set 2 (Home network)
  • No background traffic
  • Wall between fingerprinter and victim
  • Test set 3 (Coffee house)
  • Background wireless traffic
  • Miscellaneous objects fingerprinter and victim

17
Results
18
Results
Fingerprinting Accuracy (Percentage)
19
Limitations
  • Cannot distinguish between different driver
    versions
  • Accuracy is sensitive to network conditions

20
Preventing Fingerprinting
  • Standardize IEEE 802.11 active scanning
  • Power constrained devices will want to probe less
    often then devices worried about quick handoffs
  • Support configurable active scanning
  • Off by default?
  • Can we expect users to understand when to
    appropriately enable or disable active scanning?
  • Inject probe requests to disguise driver behavior
  • Wastes power and bandwidth
  • Difficult to ensure that the noise is masking the
    driver

21
Preventing Fingerprinting
  • Modify driver code
  • Extremely difficult with closed source drivers
  • Non-trivial to modify even in open source drivers
  • Patch existing drivers
  • Best effort to mitigate driver exploits
  • A usable and efficient patching process is needed
    to fix existing and future vulnerabilities
    discovered in device drivers

22
Conclusions
  • Wireless devices are a target of attack
  • Unique implementations of active scanning can be
    used to fingerprint a wireless driver
  • According to our results, this method of
    fingerprinting is highly accurate and efficient
  • Now that more drivers are externally accessible,
    a larger focus needs to be placed on their
    software security
Write a Comment
User Comments (0)
About PowerShow.com