Transcript motorola-review-Feb0.. - Computer Science Division

Automatic Vulnerability Analysis
and Intrusion Mitigation
Systems for WiMAX Networks
Yan Chen, Hai Zhou
Motorola Liaisons
Northwestern Lab for Internet Greg W. Cox, Z. Judy Fu,
and Security Technology (LIST) Peter McCann, and Philip R.
Roberts
Dept. of Electrical Engineering
and Computer Science
Motorola Labs
Northwestern University
http://list.cs.northwestern.edu
The Spread of Sapphire/Slammer Worms
Outline
•
•
•
•
Threat Landscape and Motivation
Our approach
Accomplishment
Achievement highlight: a Mobile IPv6
vulnerability
The Current Threat Landscape and
Countermeasures of WiMAX Networks
• WiMAX: next wireless phenomenon
– Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
network attacks
– E.g., 6 new viruses, including Cabir and Skulls, with 30
variants targeting mobile devices
• Goal of this project: secure WiMAX networks
• Big security risks for WiMAX networks
– No formal analysis about WiMAX security vulnerabilities
– No intrusion detection/mitigation product/research
tailored towards WiMAX networks
Our Approach
• Vulnerability analysis of 802.16e specs and WiMAX
standards
– Systematical and automatic searching through formal
methods.
– First specify the specs and potential capabilities of
attackers in a formal language TLA+ (the Temporal Logic
of Actions)
– Then model check for any possible attacks
– The formal analysis can also help guide fixing of the flaws
• Adaptive Intrusion Detection and Mitigation for
WiMAX Networks (WAIDM)
– Could be differentiator for Motorola’s 802.16 products
Accomplishments This Year
• Most achieved with close interaction with Motorola
liaisons
• Automatic vulnerability analysis
– Checked the initial ranging and authentication of WiMAX
» Found a potential vulnerability for ranging (but needs to change
MAC)
» Published a joint paper with Judy Fu
“Automatic Vulnerability Checking of IEEE 802.16 WiMAX
Protocols through TLA+”, in Proc. of the Second Workshop on
Secure Network Protocols (NPSec), 2006.
– Checking the mobile IPv6
» Find an easy attack to disable the route optimization !
Accomplishments This Year (II)
• Sketch-based online flow-level intrusion detection
– Mature and ready to be deployed
– Motorola liaisons are talking to various groups for
commercialization
» E.g., recently talked to Joshua Brickel, John Bruner, and Ephraim
Borow in MSG. “Sketch can be used in our DoS attack solution for
Verizon Wireless networks or may be used in SLA monitor.”
• Automatic polymorphic worm signature generation
systems for high-speed networks
– Fast, noise tolerant, and attack resilient
– Resulted a joint paper submission with Judy Zhi Fu
“Network-based and Attack-resilient Length Signature
Generation for Zero-day Polymorphic Worms”, submitted
to USENIX Security Symposium 2007.
– Patent under review by the patent committee of Motorola
Automatic Length Based Worm
Signature Generation
• Majority of worms exploit buffer overflow
vulnerabilities
• Worm packets have a particular field longer
than normal
• Length signature generation
– Parse the traffic to different fields
– Find abnormally long field
– Apply a three-step algorithm to determine a length
signature
– Length based signature is hard to evade if the
attacker has to overflow the buffer.
Length Based Signature Generator
Protocol
Specification
Normal
Traffic Pool
Protocol
Parser
Parsed
Normal
LESG
Core
Signatures
Parsed
Suspicious
Suspicious
Traffic Pool
NO
Pool size
too small?
Quit
YES
Filter
Evaluation of Signature Quality
• Seven polymorphic worms based on real-world
vulnerabilities and exploits from securityfocus.com
• Real traffic collected at two gigabit links of a
campus edge routers in 2006 (40GB for evaluation)
• Another 123GB SPAM dataset
Accomplishments on Publications
• Four conference and one journal papers, and one tech report
– Hop ID: A Virtual Coordinate based Routing for Sparse Mobile Ad
Hoc Networks, to appear in IEEE Transaction on Mobile Computing.
– A Suite of Schemes for User-level Network Diagnosis without
Infrastructure, to appear in the Proc. of IEEE INFOCOM, 2007
(18%).
– Internet Cache Pollution Attacks and Countermeasures, in Proc. of
the 14th IEEE International Conference on Network Protocols
(ICNP), Nov. 2006 (14%).
– Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols
through TLA+, in Proc. of the Second Workshop on Secure Network
Protocols (NPSec) (33%).
– A DoS Resilient Flow-level Intrusion Detection Approach for
High-speed Networks, in Proc. of IEEE International
Conference on Distributed Computing Systems (ICDCS), 2006
(14%).
– Abstraction Techniques for Model-Checking Parameterized Systems,
EECS Tech. Report, 2007.
Students Involved
• PhD students:
– Yan Gao, Zhichun Li, Yao Zhao (all in their 3rd years),
– Nicos Liveris (4th year)
• MS students:
– Prasad Narayana (graduating, will work for Motorola
soon)
– Sagar Vemuri (1st year)
• Undergraduate student:
– Coh Yoshizaki
Outline
•
•
•
•
Threat Landscape and Motivation
Our approach
Accomplishment
Achievement highlight: a Mobile IPv6
vulnerability
Mobile IPv6 (RFC 3775)
• Provides mobility at IP Layer
• Enables IP-based communication to
continue even when the host moves
from one network to another
• Host movement is completely
transparent to Layer 4 and above
Mobile IPv6 - Entities
• Mobile Node (MN) – Any IP host which is mobile
• Correspondent Node (CN) – Any IP host
communicating with the MN
• Home Agent (HA) – A host/router in the Home
network which:
– Is always aware of MN’s current location
– Forwards any packet destined to MN
– Assists MN to optimize its route to CN
Mobile IPv6 - Process
• (Initially) MN is in home network and connected to
CN
• MN moves to a foreign network:
– Registers new address with HA by sending Binding Update
(BU) and receiving Binding Ack (BA)
– Performs Return Routability to optimize route to CN by
sending HoTI, CoTI and receiving HoT, CoT
– Registers with CN using BU and BA
Mobile IPv6 in Action
Home Network
HoT
Mobile
Mobile
Node
Node
Correspondent
Node
Home Agent
HoTI
HA
BA
HoTI
–M
N
n
Tu
ne
HoT
BU
CoT
BA
l
Foreign Network
CoTI
BU
Internet
Mobile IPv6 Vulnerability
• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138
unprotected
• Man-in-the-middle attack
– Sniffs BU to CN
– Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
optimization and goes through HA
MIPv6 Attack In Action
MN
Start
Return
Routability
Restart
Return
Routability
Silently
Discard
Bind Ack
HA
AT
CN
MIPv6 Vulnerability - Effects
• Performance degradation by forcing
communication through sub-optimal routes
• Possible overloading of HA and Home Link
• Service disruption – Communication between
two mobile entities can be disrupted if they
were already using optimized route
Conclusions
• Vulnerability analysis of 802.16e specs (WiMAX)
and mobile IP protocols
• Adaptive Intrusion Detection and Mitigation for
WiMAX Networks (WAIDM)
Thank You !
Existing WLAN Security Technology
Insufficient for WiMAX Networks
• Cryptography and authentication cannot prevent
attacks from penetrating WiMAX networks
– Viruses, worms, DoS attacks, etc.
• 802.16 IDS development can potentially lead to
critical gain in market share
– All major WLAN vendors integrated IDS into products
• Limitations of existing IDSes (including WIDS)
– Mostly host-based, and not scalable to high-speed
networks
– Mostly simple signature based, cannot deal with unknown
attacks, polymorphic worms
– Mostly ignore dynamics and mobility of wireless networks
Deployment of WAIDM
User
s
802.16
BS
802.16
BS
802.16
BS
User
s
Internet
Users
Inter
net
scan
port WAIDM
system
• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of global scale
attacks
• Could be differentiator for Motorola’s 802.16 products
Switch/
BS controller
Switch/
BS controller
802.16
BS
Users
(a)
Original configuration
(b) WAIDM
deployed