Transcript motorola-review-June.. - Computer Science Division

Vulnerability Analysis and
Intrusion Mitigation Systems
for WiMAX Networks
Yan Chen, Hai Zhou
Motorola Liaisons
Northwestern Lab for Internet
and Security Technology (LIST)
Dept. of Electrical Engineering
and Computer Science
Northwestern University
http://list.cs.northwestern.edu
Greg W. Cox, Z. Judy Fu,
Phil Roberts, and Peter
McCann
Motorola Labs
The Current Threat Landscape and
Countermeasures of WiMAX Networks
• WiMAX: next wireless phenomenon
– Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
network attacks
– E.g., 6 new viruses, including Cabir and Skulls, with 30
variants targeting mobile devices
• Goal of this project: secure WiMAX networks
• Big security risks for WiMAX networks
– No formal analysis about WiMAX security vulnerabilities
– No intrusion detection/mitigation product/research
tailored towards WiMAX networks
Security Challenges in WiMAX
Networks
• In addition to sharing similar challenge of wired net
– High speed traffic
– Zero-day threats
• Wireless networks are more vulnerable
– Open media
• Easy to sniff, spoof and inject packets
– Open access
• Hotspots and potential large user population
• Attacking is more diverse
– On media access (e.g., jamming), but easy to detect
– On protocols (our focus)
Overall Approach and Achievement
• Adaptive Intrusion Detection and Mitigation for
WiMAX Networks (WAIDM)
Focus on the emerging threats: polymorphic zero-day
worms and botnets
– High-speed network monitoring and anomaly/intrusion
detection
– Polymorphic zero-day worm signature generation
– Both designed, implemented and fully evaluated
– All code are available for Motorola
• Vulnerability analysis and defense of WiMAX
networks at various layers
–
–
–
–
IEEE 802.16e: MAC layer
Mobile IP v4/6: network layer
EAP layer (generalized to various wireless & cellular nets)
Finished for WiMAX, generalization ongoing
Overall Approach and Achievement II
• Twelve conference and two journal papers
– Some more are under submission
• Two book chapters
• One patent filed
Outline
• Threat landscape and motivation
• Overall approach and achievement
• Accomplishment this year
• Error-message based DoS attacks of wireless
networks and the defense
Accomplishments This Year
• Most achieved with close interaction with Motorola
liaisons
• Automatic polymorphic worm signature generation
systems for high-speed networks
– Fast, noise tolerant w/ proved attack resilience
– Resulted two joint papers with Motorola Labs
“Network-based and Attack-resilient Length Signature
Generation for Zero-day Polymorphic Worms”, published
in to IEEE International Conference on Network
Protocols (ICNP) 2007 (14% acceptance rate).
– Patent filed through Motorola.
• “Method and Apparatus to Facilitate Generating Worm-Detection
Signatures Using Data Packet Field Lengths”, U.S. Patent
Application No. 11/985,760. Filed on Dec. 18, 2007.
– A journal paper submitted to IEEE/ACM Trans. on Net.
Accomplishments on Publications
Four conference, one journal papers and two book chapters
– “Accurate and Efficient Traffic Monitoring Using Adaptive Non-linear
Sampling Method", in the Proc. of IEEE INFOCOM, 2008
– “A Survey of Existing Botnet Defenses “, in the Proc. of IWSSE 2008.
– “Honeynet-based Botnet Scan Traffic Analysis", invited book chapter
for “Botnet Detection: Countering the Largest Security Threat”,
Springer, 2007.
– “Integrated Fault and Security Management”, invited book chapter for
“Information Assurance: Dependability and Security in Networked
Systems”, Morgan Kaufmann Publishers, 2007.
– “Reversible Sketches: Enabling Monitoring and Analysis over High-speed
Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15,
Issue 5, Oct. 2007.
– “Network-based and Attack-resilient Length Signature Generation for
Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE
International Conference on Network Protocols (ICNP), 2007.
– “Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in
the Proc. Of IEEE International Workshop on Quality of Service, 2007.
Students Involved
• PhD students:
– Zhichun Li, Yao Zhao (both in their 4th years)
– Lanjia Wang (visiting PhD students)
• MS students:
– Sagar Vemuri (2nd year)
– Jiazhen Chen (1st year)
Error-message Based DoS
Attacks of Wireless
Networks and the Defense
10
Vulnerability and Attack Methodology
• Processing error messages imprudently
– Error messages are in clear text before
authentication
– Messages are trusted without integrity check
• Attacking requirements
– Sniffing: easy for wireless networks
– Spoofing before authenticated
• Easy for wireless LANs & doable for cellular networks
• Basic attack ideas
Spoof and inject error messages or wrong messages that
trigger error messages to clients and/or servers.
• Maybe a known problem but largely ignored
11
Outline
• Vulnerability and Attack Methodology
• Attack Case Studies
– EAP protocols for wireless and cellular
networks
– Mobile IPv6 route optimization protocol
(skipped)
• Countermeasures
• Conclusions
12
EAP Authentication on Wireless
Networks
TLS
EAP-TLS
EAP-TTLS
PEAP
EAP-FAST
Challenge/Response
Authentication
primitive
EAP-SIM
Authentication
method layer
EAP-AKA
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
802.11
WLAN
GSM
UMTS/
CDMA2000
Data Link Layer
13
TLS Authentication Procedure
Server End
Client End
TLS Handshake
Protocol
Client and server
negotiate a stateful
connection using a
handshake procedure.
Hello Request
Client Hello
Server Hello
Server Certificate
Key-exchange message
Server Hello Done
Client Key-exchange message
Change cipher Spec
TLS finished
Change cipher Spec
TLS finished
Encrypted conversation over TLS
14
DoS Attacks on TLS Authentication
• Sniff to get the client MAC address and IDs
– Packet in clear text before authentication
• Send spoofed error messages
– Before authentication is done, attacker spoofs an
alert message of level ‘fatal‘, followed by a close
notify alert.
– Then the handshake protocol fails and needs to be
tried again.
• Complete the DoS attack
– The attacker repeats the previous steps to stop all
the retries
• When this attack happens, WPA2,WPA or WEP
are all in clear text.
15
DoS Attacks on TLS: Illustration
Client End
Attacker
Server End
Hello Request
Attack
Point-1
Attack
Point-2
Client Hello
Error Message
Server Hello
Server Certificate
Server Key-exchange message
Certification Request
Server Hello Done
Certificate
Client Key-exchange message
Certificate Verify
Finished
Error Message
• Sending Error Alert message of level Fatal
• Can either attack client or server
16
DoS Attack on Challenge/Response
over EAP-AKA
Server End
Client End
EAP-Request/Identity
EAP-Response/Identity (NAI)
AKA-Challenge (RAND, AUTN, MAC)
AKA-Authentication-Reject
AKA-Response (RES, MAC)
AKA-Notification
EAP-Success
Simple attack: Sending Error Rejection/
17
Notification message
DoS Attack Experiment on a WiFi
Network with PEAP Protocols
• Hardware
– Wifi cards with Atheros chipsets (e.g., Proxim
Orinoco Gold wireless adapter)
– MADWifi driver
• Code implementation
– Libraries
• Sniffing: Libpcap library
• Spoofing: Lorcon library
– Attacking code
• About 1200 lines of C++ code in Ubuntu linux
18
Field Test Results
We conducted the EAP-TLS attack experiments at a Cafeteria.
•7 mobile hosts and one Attacker
• We’ve successfully attacked all of them in one of the two
19
channels
Attack Efficiency Evaluation
Attack Point 1
Ratio by # of Messages
25.00% [1/4]
Ratio by Bytes
15.89% [78/491 ]
Attack Point 2
Ratio by # of Messages
28.57% [2/7]
Ratio by Bytes
14.87% [156/1049]
• For example, when attack happens at the second
point
– Just need to send 156 bytes of message to
screw the whole 1049 bytes authentication
messages.
20
Scalability Evaluation by NS2
Simulations
• Vary the # of simultaneous sign-on clients up to 100
– All results are based on an average of 100 runs.
• Shows that the attacker is scalable: very few
clients are able to authenticate successfully.
21
NS-2 Simulation Results II
• Even better results when sending error messages
more aggressively by reducing the CWMin
parameter of the attacker
– The back-off time of attacker is reduced.
22
Outline
• Vulnerability and Attack Methodology
• Attack Case Studies
– EAP protocols for wireless and cellular
networks
– Mobile IPv6 route optimization protocol
(skipped)
• Countermeasures
• Conclusions
23
Countermeasures
• Enhance the robustness of the
authentication protocol for wireless access
– Delay decision making process by waiting for a
short time for a success message (if any) to
arrive; and
– Give preference to success messages than the
error ones.
– Implemented and successfully thwart EAP-TLS
attacks
24
Conclusions
• We have designed new methods to launch DoS
attacks on security protocols using error messages.
• We found that any security protocol is vulnerable
to such attacks as long as it supports a few error
messages before the authentication step.
• We demonstrated the effect of these attacks on
TLS and MIPv6 protocols.
• As far as we know, no authentication protocol
currently is secure against such attacks.
• We suggest a few guidelines for the protocol
designers and implementers to defend such attacks.
25
Backup Slides
26
EAP and TLS Authentication
• Extensible Authentication Protocol (EAP)
is a PPP extension
– Provides support for additional authentication
methods within PPP.
• Transport Layer Security (TLS)
– Mutual authentication
– Integrity-protected cipher suite negotiation
– Key exchange
• Challenge/Response authentication with
pre-shared keys
– Pre-shared key (Ki) in SIM and AuC
– Auc challenges mobile station with RAND
27
– Both sides derive keys based on Ki and RAND
Practical Experiment
EAP-TLS Attack Practical Experiment
Attack Point - 2
21%
Attack Point - 1
79%
Attack Point - 1
Attack Point - 2
• For the 33 different tries
– All suffered an attack at Attack Point-1
– 21% survive from the first attack but failed at the
2nd Attack Point.
28
• Simulate one TLS-Server, one TLS-Attacker
and range the TLS-Clients between 1 to a
maximum of 100.
– The number of clients authenticate to the
TLS server simultaneously.
– It’s extremely rare case
• Base Station was set up to interface between
the wired and wireless networks.
• The duplex-link between the BS and the TLSServer was of 100MBps with a 10ms delay. 29
Case 2:
Mobile IPv6
Routing-Optimization
protocol
30
Mobile IPv6
• Mobile IPv6 is a protocol which allows nodes to
remain reachable while moving around in the
IPv6 Internet.
– Each mobile node is always identified by its home
address, regardless of its current point of
attachment to the Internet.
– IPv6 packets addressed to a mobile node's home
address are transparently routed to its care-of
address.
– The protocol enables IPv6 nodes to cache the
binding of a mobile node's home address with its
care-of address, and to then send any packets
destined for the mobile node directly to it at this
care-of address
31
Return Routability Procedure
• The procedure begins when the MN sends
HoTI message to CN through HA and CoTI
message directly to CN.
• Upon the receipt of the Binding Update, CN
adds an entry for the MN in its Binding Cache
and optionally sends Binding Acknowledgement.
• Once this happens, MN and CN will be capable
of communicating over a direct route.
– This way, the route between MN and CN is
optimized.
32
Return Routability Procedure
•Once Return Routability happens,
MN and CN will be capable of
communicating over a direct route
•The route between MN and CN is optimized.33
The Vulnerability
• Binding Error Vulnerability
– Used to disable the Routing Optimization procedure.
• Binding Error message set Status to 2 (unrecognized MH
Type value), Then the mobile node SHOULD cease the
attempt to use route optimization.
• The Binding Error message is not protected.
• Bind Acknowledgement Vulnerability
– The Bind Acknowledgement vulnerability affects the Return
Routability procedure
• Binding Acknowledgement with status 136, 137 and 138 is
used to indicate an error and not protected in any way
• Hence, it could be easily spoofed by an external entity
34
The Vulnerability
• Bind Error Vulnerability
Mobile Node
Start Return
Routability
Home Agent
Attacker
Correspondent
Node
Ho T I
CoTI
Ho T I
CoT
Ho T
Ho T
Bind Update
(Sniffed by
Attacker)
Retard Return
Routability
Silently Discard
Bind Ack
ker
By Attac
r
o
r
r
E
d
Bin
Spoofed
k
Bind Ac
35
The Vulnerability
• Bind Acknowledgement Vulnerability
Mobile Node
Start Return
Routability
Home Agent
Attacker
Correspondent
Node
Ho T I
CoTI
Ho T I
CoT
Ho T
Ho T
Bind Update
(Sniffed by
Attacker)
Retard Return
Routability
Silently Discard
Bind Ack
ttacker
Ack By A
d
n
i
B
d
Spoofe
k
Bind Ac
36
Experiment Environment
2001:106:2700::2
2001:106:2300::1
MN
E
T
H
E
T
H
HA / Router
2001:106:2300::2
G
R
E
G
R
E
CN / Router
2001:106:2700::4
G
R
E
G
R
E
2001:106:2200::1
2001:106:2100::2
G
R
E
Access
Router
2001:106:2200::2
G
R
E
2001:106:2100::1
E
T
H
2001:106:1100::1
E
T
H
2001:106:1100::2
MN
Notes:
- All are linux boxes with one physical wired interface.
- Diagram shows logical network connection. Physicaly, all are connected to each other through IPv4 LAN.
- HA and AR run radvd on ETH interfaces with addresses 2700::2 and 1100::1 respectively.
- MN movement is simulated by bringing the ETH interface on, once in home network and once in foreign network
37
Evaluation
• The MIPv6 Experiment is based on a LAN testbed.
– Except the Mobile Node, all other components
such as Home Agent and Correspondence Node are
all connected via wired cable in the Northwestern
network.
• We collected the data through 100 times experiment.
Observed via the Wireshark running on the Mobile
Node, for one successful attack, the time window is
about 5ms in average and the Standard Deviation is
0.108ms for distribution
• The time consumed by computing the spoofed Error
message is 0.0203ms in average. The closer the
attack to the Mobile Node, the higher probability we
get for launching a successful Error Message attack.
38
PEAP Enhancement
• Original WPA supplicant v0.5.10
– Generate TLS ALERT on unexpected messages
– Stop authentication on TLS ALERT
• Delayed response implementation
– Drop unexpected message silently
– Wait for 1 second when receiving TLS ALERT
to allow multiple responses, and ignore TLS
ALERT response if good responses are
received.
• Verification
– Redid the attack experiments and prove the
effect of the countermeasures
39