Yan Chen, Hai Zhou

1
Vulnerability Analysis and Intrusion Mitigation
Systems for WiMAX Networks

• Yan Chen, Hai Zhou
• Northwestern Lab for Internet and Security
  Technology (LIST)
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University
• http//list.cs.northwestern.edu

Motorola Liaisons Greg W. Cox, Z. Judy Fu, Peter
McCann, and Philip R. Roberts Motorola Labs
2
The Current Threat Landscape and Countermeasures
of WiMAX Networks

• WiMAX next wireless phenomenon
• Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
  network attacks
• E.g., 6 new viruses, including Cabir and Skulls,
  with 30 variants targeting mobile devices
• Goal of this project secure WiMAX networks
• Big security risks for WiMAX networks
• No formal analysis about WiMAX security
  vulnerabilities
• No intrusion detection/mitigation
  product/research tailored towards WiMAX networks

3
Our Approach

• Vulnerability analysis of 802.16e specs and WiMAX
  standards
• Intelligent and complete checking through combo
  of manual analysis auto search through formal
  methods
• First, manual analysis provide hints and right
  level of abstraction for auto search
• Then specify the specs and potential capabilities
  of attackers in a formal language TLA (the
  Temporal Logic of Actions)
• Then model check for any possible attacks
• Adaptive Intrusion Detection and Mitigation for
  WiMAX Networks (WAIDM)
• Could be differentiator for Motorolas 802.16
  products

4
Outline

• Threat landscape and motivation
• Our approach
• Accomplishment of this year
• Achievement highlight a Mobile IPv6
  vulnerability
• Plan for the next year

5
Accomplishments This Year (I)

• Most achieved with close interaction with
  Motorola liaisons
• Intelligent vulnerability analysis of WiMAX
• Focused on outsider attacks, i.e., w/ unprotected
  msgs
• Checked the complete spec of 802.16e before
  authentication
• Found some vulnerability, e.g., for ranging (but
  needs to change MAC)
• Published a joint paper with Motorola Labs
• Automatic Vulnerability Checking of IEEE 802.16
  WiMAX Protocols through TLA, in Proc. of the
  Second Workshop on Secure Network Protocols
  (NPSec), 2006.
• Checked the mobile IPv4/v6
• Find an easy attack to disable the route
  optimization of MIPv6 !

6
Accomplishments This Year (II)

• Automatic polymorphic worm signature generation
  systems for high-speed networks
• Fast, noise tolerant w/ proved attack resilience
• Resulted a joint paper submission with Motorola
  Labs
• Network-based and Attack-resilient Length
  Signature Generation for Zero-day Polymorphic
  Worms, submitted to IEEE International
  Conference on Network Protocols (ICNP) 2007.
• Patent under review by the patent committee of
  Motorola

7
Automatic Length Based Worm Signature Generation

• Majority of worms exploit buffer overflow
  vulnerabilities
• Worm packets have a particular field longer than
  normal
• Length signature generation
• Parse the traffic to different fields
• Find abnormally long field
• Apply a three-step algorithm to determine a
  length signature
• Length based signature is hard to evade if the
  attacker has to overflow the buffer.

8
Length Based Signature Generator
9
Evaluation of Signature Quality

• Seven polymorphic worms based on real-world
  vulnerabilities and exploits from
  securityfocus.com
• Real traffic collected at two gigabit links of a
  campus edge routers in 2006 (40GB for evaluation)
• Another 123GB SPAM dataset

10
Accomplishments on Publications

• Four conference papers and one tech report
• Detecting Stealthy Spreaders Using Online
  Outdegree Histograms, in the Proc. of the 15th
  IEEE International Workshop on Quality of Service
  (IWQoS), 2007 (26.6).
• A Suite of Schemes for User-level Network
  Diagnosis without Infrastructure, in the Proc.
  of IEEE INFOCOM, 2007 (18).
• Towards Scalable and Robust Distributed
  Intrusion Alert Fusion with Good Load Balancing,
  in Proc. of ACM SIGCOMM Workshop on Large-Scale
  Attack Defense 2006(33).
• Automatic Vulnerability Checking of IEEE 802.16
  WiMAX Protocols through TLA, in Proc. of the
  Second Workshop on Secure Network Protocols
  (NPSec) (33).
• Abstraction Techniques for Model-Checking
  Parameterized Systems, EECS Tech. Report, 2007.

11
Students Involved

• PhD students
• Zhichun Li, Yao Zhao (all in their 3rd years)
• Lanjia Wang, Yanmei Zhang (visiting PhD students)
• Nicos Liveris (4th year)
• MS students
• Prasad Narayana (graduated)
• Sagar Vemuri (1st year)

12
Outline

• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Achievement highlight a Mobile IPv6
  vulnerability
• Plan for the next year

13
Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer
• Enables IP-based communication to continue even
  when the host moves from one network to another
• Host movement is completely transparent to Layer
  4 and above

14
Mobile IPv6 - Entities

• Mobile Node (MN) Any IP host which is mobile
• Correspondent Node (CN) Any IP host
  communicating with the MN
• Home Agent (HA) A host/router in the Home
  network which
• Is always aware of MNs current location
• Forwards any packet destined to MN
• Assists MN to optimize its route to CN

15
Mobile IPv6 - Process

• (Initially) MN is in home network and connected
  to CN
• MN moves to a foreign network
• Registers new address with HA by sending Binding
  Update (BU) and receiving Binding Ack (BA)
• Performs Return Routability to optimize route to
  CN by sending HoTI, CoTI and receiving HoT, CoT
• Registers with CN using BU and BA

16
Mobile IPv6 in Action
Home Network
HoT
Internet
Correspondent
Mobile
Node
Home Agent
Node
HoTI
BA
CoT
HoTI
BA

CoTI
HoT
BU
BU
Foreign Network
17
Mobile IPv6 Vulnerability

• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138 unprotected
• Man-in-the-middle attack
• Sniffs BU to CN
• Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
  optimization and goes through HA

18
MIPv6 Attack In Action
MN
HA
AT
CN
Start
H
o
T
I
Return
o
C
T
I
Routability
H
o
T
I
T
o
C
o
T
H
T
o
H
Bind Update (Sniffed by AT along the way)






Bind Ack Spoofed by AT


Routability
Bind Ack

Bind Ack

• Only need a wireless network sniffer and a
  spoofed wired machine (No MAC needs to be
  changed !)
• Bind ACK often skipped by CN

19
MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication
  through sub-optimal routes
• Possible overloading of HA and Home Link
• DoS attack, when MN repeatedly tried to complete
  the return routability procedure
• Attack can be launched to a large number of
  machines in their foreign network
• Small overhead for continuously sending spoofed
  Bind ACK to different machines

20
TLA Analysis and Experiments

• With the spec modeled in TLA, the TLC search
  gives two other similar attacks w/ the same
  vulnerability
• Complete the search of vulnerabilities w/
  unprotected messages
• Implemented and tested in our lab
• Using Mobile IPv6 Implementation for Linux (MIPL)
• Tunnel IPv6 through IPv4 with Generic Routing
  Encapsulation (GRE) by Cisco
• When attack in action, MN repeatedly tried to
  complete the return routability procedure DOS
  attack !

21
Outline

• Threat landscape and motivation
• Our approach
• Accomplishment
• Achievement highlight a Mobile IPv6
  vulnerability
• Plan for the next year
• Vulnerability analysis of EAP protocols
• Insider attack analysis
• Technology transfer

22
Extensible Authentication Protocols (EAP)
Authentication method layer
EAP-TTLS
EAP-SIM
EAP-AKA
EAP-TLS
PEAP
EAP-FAST
Extensible Authentication Protocol (EAP)
EAP Over LAN (EAPOL)
EAP Layer
Data Link Layer
802.16
CDMA
PPP
802.3 Ethernet
802.5 Token Ring
802.11 WLAN
GSM
23
Extensible Authentication Protocols (EAP)

• EAP is an authenticaiton framework
• Support about 40 different EAP methods
• Current targets
• EAP-SIM for GSM cellular networks
• EAP-AKA for 3G networks, such as UMTS and
  CDMA2000
• EAP-FAST (Flexible Authentication via Secure
  Tunneling)
• Most Comprehensive and secure EAP method for WLAN
• Will compare it w/ EAP-SIM and EAP-AKA

24
Insider Attack Analysis

• Not hard to become a subscriber
• Can five subscribers bring down an entire WiMAX
  network ?
• Check vulnerability after authentication
• Plan to analyze various layers of WiMAX networks
• IEEE 802.16e MAC layer
• Mobile IP v4/6 network layer
• EAP layer

25
802.16e SS Init Flowchart
26
Work Done
27
Future work
28
Conclusions

• Vulnerability analysis of WiMAX protocols
  802.16e and mobile IP specs
• Adaptive Intrusion Detection and Mitigation for
  WiMAX Networks (WAIDM)

Thank You !
29
Existing WLAN Security Technology Insufficient
for WiMAX Networks

• Cryptography and authentication cannot prevent
  attacks from penetrating WiMAX networks
• Viruses, worms, DoS attacks, etc.
• 802.16 IDS development can potentially lead to
  critical gain in market share
• All major WLAN vendors integrated IDS into
  products
• Limitations of existing IDSes (including WIDS)
• Mostly host-based, and not scalable to high-speed
  networks
• Mostly simple signature based, cannot deal with
  unknown attacks, polymorphic worms
• Mostly ignore dynamics and mobility of wireless
  networks

30
Deployment of WAIDM

• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of
  global scale attacks
• Could be differentiator for Motorolas 802.16
  products

Users
Internet
Users
WAIDM
system
Internet
802.16
scan
802.16 BS
port
BS
Switch/
Switch/
BS controller
BS controller
802.16
802.16 BS
BS
Users
Users
(a)
(b)
WAIDM deployed
Original configuration