Presentation on theme: "Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van Randwyk, Douglas."— Presentation transcript:
Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van Randwyk, Douglas Sicker What would you like to identify today?
Be Pessimistic! Today, we take a glass is half-empty view of device driver security. We present a fingerprinting technique for 802.11 device drivers under the premise that wireless device drivers are and will remain vulnerable. Half-empty
Outline I.Motivation II.802.11 and all that jazz III.Fingerprinting Approach IV.Evaluation V.Preventative Measures VI.Wrap up
Motivation 802.11 is everywhere. –Coffee shops, airports, homes, businesses, here! –Full-city coverage (San Francisco, London, Chicago) Driver-specific exploits are an emerging threat. –Drivers are complex, numerous, buggy, and usually NOT easy to externally interact with. –Wireless drivers, however, are externally accessible. –802.11 driver exploits already exist. –New APIs for 802.11 packet generation will make writing exploits easier.
802.11 Basics Station : Device with wireless capabilities (laptop, PDA, etc.) Access Point : Device that acts as a communication hub for wireless devices connected to a wireless LAN Wireless Frame : Unit of data at data-link layer
Fingerprinting What is fingerprinting? –Process by which a target object is identified by its externally observable characteristics Target Device What would you like to identify today? Fingerprinter
Device Driver Fingerprinting Utility of fingerprinting –Intrusion detection: detecting MAC address spoofing –Network forensics: narrow or verify source of network event or security incident –Reconnaissance: targeted attacks Why not use the MAC Address? –MAC address is one way to identify a NIC manufacturer –Easy to change (spoof) to another legitimate, copied, or fictitious MAC
802.11 Active Scanning A station sends probe request frames when it needs to discover access points in a wireless network. This process is known as active scanning. The IEEE 802.11 standard specifies active scanning as… For every channel: Broadcast probe request frame; Start channel timer, t; If t reaches MinChannelTime AND current channel is IDLE: Scan to the next channel; Else Wait until t reaches MaxChannelTime; Process probe response frames from current channel; Scan to the next channel; The remaining details of this process implementation are determined by wireless driver authors…
Intuition As you may have guessed, we distinguish drivers based on unique active scanning! D-Link driver D-Link DWL-G520 PCI Wireless NIC Cisco driver Aironet AIR-CB21AG-A-K9 PCI Wireless NIC
Outline of Method Supervised Bayesian Classification: 1.Create tagged signatures (Bayesian Models) 17 different device drivers 12 hour traffic traces 2.Capture traffic trace for an unidentified driver 3.Compare how close the unidentified trace is to every tagged signature and identify based on nearest match
Signature Generation Driver signatures are based on the delta arrival time between probe requests. Signatures are obtained via binning with an empirically tuned and fixed bin width. 1.Record the percentage of probe requests placed in each bin 2.Record the average, for each bin, of all actual (non-rounded) delta arrival time values in that bin 3.Generate a vector initialized with these parameters as the signature for that driver Windows Engenius driver signature.
Identification Calculate how close the trace is to every known driver signature using distance metric Trace is identified as having the driver with the signature that is the closest according to our metric
Factors that Effect Probing Association status –Associated to an access point –Unassociated Driver management –Managed by Windows –Managed by NIC vendor drivers
Experimental Setup The fingerprinter: Pentium 4 running Linux with a Cisco Aironet a/b/g wireless card The victims: 17 different wireless drivers, including drivers from Apple, Cisco, D-link, Intel, Linksys, Madwifi, Netgear, Proxim, and SMC The signature database: 31 unique driver signatures with tags and signature of the format: driver assoc-status manager : (bin, % in bin, mean)
Experimental Setup Test set #1, Master Signature Database (Lab): –No background traffic –No obstructions Test set #2 (Home network): –No background traffic –Wall between fingerprinter and victim Test set #3 (Coffee house): –Background wireless traffic –Miscellaneous objects fingerprinter and victim
Results Test Set SuccessfulTotalAccuracy 1555796% 2485784% 3445777% Number of Drivers Accuracy of Driver Percentage 0 1 2 3 4 5 6 7 8 9 10 10099-9089-8079-7069-60
Results Trace Data (Minutes) Fingerprinting Accuracy (Percentage)
Limitations Cannot distinguish between different driver versions Accuracy is sensitive to network conditions
Preventing Fingerprinting Standardize IEEE 802.11 active scanning –Power constrained devices will want to probe less often then devices worried about quick handoffs Support configurable active scanning –Off by default? –Can we expect users to understand when to appropriately enable or disable active scanning? Inject probe requests to disguise driver behavior –Wastes power and bandwidth –Difficult to ensure that the noise is masking the driver
Preventing Fingerprinting Modify driver code –Extremely difficult with closed source drivers –Non-trivial to modify even in open source drivers Patch existing drivers –Best effort to mitigate driver exploits –A usable and efficient patching process is needed to fix existing and future vulnerabilities discovered in device drivers
Conclusions Wireless devices are a target of attack Unique implementations of active scanning can be used to fingerprint a wireless driver According to our results, this method of fingerprinting is highly accurate and efficient Now that more drivers are externally accessible, a larger focus needs to be placed on their software security Questions?