Title: Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting
1Passive Data Link Layer 802.11 Wireless Device
Driver Fingerprinting
- Jason Franklin, Damon McCoy, Parisa Tabriz,
Vicentiu Neagoe, Jamie Van Randwyk, Douglas
Sicker
2Be Pessimistic!
- Today, we take a glass is half-empty view of
device driver security. - We present a fingerprinting technique for 802.11
device drivers under the premise that wireless
device drivers are and will remain vulnerable.
Half-empty
3Outline
- Motivation
- 802.11 and all that jazz
- Fingerprinting Approach
- Evaluation
- Preventative Measures
- Wrap up
4Motivation
- 802.11 is everywhere.
- Coffee shops, airports, homes, businesses, here!
- Full-city coverage (San Francisco, London,
Chicago) - Driver-specific exploits are an emerging threat.
- Drivers are complex, numerous, buggy, and usually
NOT easy to externally interact with. - Wireless drivers, however, are externally
accessible. - 802.11 driver exploits already exist.
- New APIs for 802.11 packet generation will make
writing exploits easier.
5802.11 Basics
Station Device with wireless capabilities
(laptop, PDA, etc.)
Access Point Device that acts as a communication
hub for wireless devices connected to a wireless
LAN
Wireless Frame Unit of data at data-link layer
6Fingerprinting
- What is fingerprinting?
- Process by which a target object is identified by
its externally observable characteristics
7Device Driver Fingerprinting
- Utility of fingerprinting
- Intrusion detection detecting MAC address
spoofing - Network forensics narrow or verify source of
network event or security incident - Reconnaissance targeted attacks
- Why not use the MAC Address?
- MAC address is one way to identify a NIC
manufacturer - Easy to change (spoof) to another legitimate,
copied, or fictitious MAC
8802.11 Active Scanning
- A station sends probe request frames when it
needs to discover access points in a wireless
network. This process is known as active
scanning. - The IEEE 802.11 standard specifies active
scanning as - For every channel
- Broadcast probe request frame
- Start channel timer, t
- If t reaches MinChannelTime AND current channel
is IDLE - Scan to the next channel
- Else
- Wait until t reaches MaxChannelTime
- Process probe response frames from current
channel - Scan to the next channel
- The remaining details of this process
implementation are determined by wireless driver
authors
9Intuition
- As you may have guessed, we distinguish drivers
based on unique active scanning!
10Fingerprinting Approach
REQ
REQ
REQ
Driver signature
11Outline of Method
- Supervised Bayesian Classification
- Create tagged signatures (Bayesian Models)
- 17 different device drivers
- 12 hour traffic traces
- Capture traffic trace for an unidentified driver
- Compare how close the unidentified trace is to
every tagged signature and identify based on
nearest match
12Signature Generation
- Driver signatures are based on the delta arrival
time between probe requests. - Signatures are obtained via binning with an
empirically tuned and fixed bin width. - Record the percentage of probe requests placed in
each bin - Record the average, for each bin, of all actual
(non-rounded) delta arrival time values in that
bin - Generate a vector initialized with these
parameters as the signature for that driver
Windows Engenius driver signature.
13Identification
- Calculate how close the trace is to every known
driver signature using distance metric - Trace is identified as having the driver with the
signature that is the closest according to our
metric
14Factors that Effect Probing
- Association status
- Associated to an access point
- Unassociated
- Driver management
- Managed by Windows
- Managed by NIC vendor drivers
15Experimental Setup
- The fingerprinter Pentium 4 running Linux with a
Cisco Aironet a/b/g wireless card - The victims 17 different wireless drivers,
including drivers from Apple, Cisco, D-link,
Intel, Linksys, Madwifi, Netgear, Proxim, and SMC - The signature database 31 unique driver
signatures with tags and signature of the format - driver assoc-status manager (bin, in bin,
mean)
16Experimental Setup
- Test set 1, Master Signature Database (Lab)
- No background traffic
- No obstructions
- Test set 2 (Home network)
- No background traffic
- Wall between fingerprinter and victim
- Test set 3 (Coffee house)
- Background wireless traffic
- Miscellaneous objects fingerprinter and victim
17Results
Test Set Successful Total Accuracy
1 55 57 96
2 48 57 84
3 44 57 77
18Results
Fingerprinting Accuracy (Percentage)
19Limitations
- Cannot distinguish between different driver
versions - Accuracy is sensitive to network conditions
20Preventing Fingerprinting
- Standardize IEEE 802.11 active scanning
- Power constrained devices will want to probe less
often then devices worried about quick handoffs - Support configurable active scanning
- Off by default?
- Can we expect users to understand when to
appropriately enable or disable active scanning? - Inject probe requests to disguise driver behavior
- Wastes power and bandwidth
- Difficult to ensure that the noise is masking the
driver
21Preventing Fingerprinting
- Modify driver code
- Extremely difficult with closed source drivers
- Non-trivial to modify even in open source drivers
- Patch existing drivers
- Best effort to mitigate driver exploits
- A usable and efficient patching process is needed
to fix existing and future vulnerabilities
discovered in device drivers
22Conclusions
- Wireless devices are a target of attack
- Unique implementations of active scanning can be
used to fingerprint a wireless driver - According to our results, this method of
fingerprinting is highly accurate and efficient - Now that more drivers are externally accessible,
a larger focus needs to be placed on their
software security