Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

1
Passive Data Link Layer 802.11 Wireless Device
Driver Fingerprinting

• Jason Franklin, Damon McCoy, Parisa Tabriz,
  Vicentiu Neagoe, Jamie Van Randwyk, Douglas
  Sicker

2
Be Pessimistic!

• Today, we take a glass is half-empty view of
  device driver security.
• We present a fingerprinting technique for 802.11
  device drivers under the premise that wireless
  device drivers are and will remain vulnerable.

Half-empty
3
Outline

• Motivation
• 802.11 and all that jazz
• Fingerprinting Approach
• Evaluation
• Preventative Measures
• Wrap up

4
Motivation

• 802.11 is everywhere.
• Coffee shops, airports, homes, businesses, here!
• Full-city coverage (San Francisco, London,
  Chicago)
• Driver-specific exploits are an emerging threat.
• Drivers are complex, numerous, buggy, and usually
  NOT easy to externally interact with.
• Wireless drivers, however, are externally
  accessible.
• 802.11 driver exploits already exist.
• New APIs for 802.11 packet generation will make
  writing exploits easier.

5
802.11 Basics
Station Device with wireless capabilities
(laptop, PDA, etc.)
Access Point Device that acts as a communication
hub for wireless devices connected to a wireless
LAN
Wireless Frame Unit of data at data-link layer
6
Fingerprinting

• What is fingerprinting?
• Process by which a target object is identified by
  its externally observable characteristics

7
Device Driver Fingerprinting

• Utility of fingerprinting
• Intrusion detection detecting MAC address
  spoofing
• Network forensics narrow or verify source of
  network event or security incident
• Reconnaissance targeted attacks
• Why not use the MAC Address?
• MAC address is one way to identify a NIC
  manufacturer
• Easy to change (spoof) to another legitimate,
  copied, or fictitious MAC

8
802.11 Active Scanning

• A station sends probe request frames when it
  needs to discover access points in a wireless
  network. This process is known as active
  scanning.
• The IEEE 802.11 standard specifies active
  scanning as
• For every channel
• Broadcast probe request frame
• Start channel timer, t
• If t reaches MinChannelTime AND current channel
  is IDLE
• Scan to the next channel
• Else
• Wait until t reaches MaxChannelTime
• Process probe response frames from current
  channel
• Scan to the next channel
• The remaining details of this process
  implementation are determined by wireless driver
  authors

9
Intuition

• As you may have guessed, we distinguish drivers
  based on unique active scanning!

10
Fingerprinting Approach
REQ
REQ
REQ
Driver signature
11
Outline of Method

• Supervised Bayesian Classification
• Create tagged signatures (Bayesian Models)
• 17 different device drivers
• 12 hour traffic traces
• Capture traffic trace for an unidentified driver
• Compare how close the unidentified trace is to
  every tagged signature and identify based on
  nearest match

12
Signature Generation

• Driver signatures are based on the delta arrival
  time between probe requests.
• Signatures are obtained via binning with an
  empirically tuned and fixed bin width.
• Record the percentage of probe requests placed in
  each bin
• Record the average, for each bin, of all actual
  (non-rounded) delta arrival time values in that
  bin
• Generate a vector initialized with these
  parameters as the signature for that driver

Windows Engenius driver signature.
13
Identification

• Calculate how close the trace is to every known
  driver signature using distance metric
• Trace is identified as having the driver with the
  signature that is the closest according to our
  metric

14
Factors that Effect Probing

• Association status
• Associated to an access point
• Unassociated
• Driver management
• Managed by Windows
• Managed by NIC vendor drivers

15
Experimental Setup

• The fingerprinter Pentium 4 running Linux with a
  Cisco Aironet a/b/g wireless card
• The victims 17 different wireless drivers,
  including drivers from Apple, Cisco, D-link,
  Intel, Linksys, Madwifi, Netgear, Proxim, and SMC
• The signature database 31 unique driver
  signatures with tags and signature of the format
• driver assoc-status manager (bin, in bin,
  mean)

16
Experimental Setup

• Test set 1, Master Signature Database (Lab)
• No background traffic
• No obstructions
• Test set 2 (Home network)
• No background traffic
• Wall between fingerprinter and victim
• Test set 3 (Coffee house)
• Background wireless traffic
• Miscellaneous objects fingerprinter and victim

17
Results
Test Set Successful Total Accuracy
1 55 57 96
2 48 57 84
3 44 57 77
18
Results
Fingerprinting Accuracy (Percentage)
19
Limitations

• Cannot distinguish between different driver
  versions
• Accuracy is sensitive to network conditions

20
Preventing Fingerprinting

• Standardize IEEE 802.11 active scanning
• Power constrained devices will want to probe less
  often then devices worried about quick handoffs
• Support configurable active scanning
• Off by default?
• Can we expect users to understand when to
  appropriately enable or disable active scanning?
• Inject probe requests to disguise driver behavior
• Wastes power and bandwidth
• Difficult to ensure that the noise is masking the
  driver

21
Preventing Fingerprinting

• Modify driver code
• Extremely difficult with closed source drivers
• Non-trivial to modify even in open source drivers
• Patch existing drivers
• Best effort to mitigate driver exploits
• A usable and efficient patching process is needed
  to fix existing and future vulnerabilities
  discovered in device drivers

22
Conclusions

• Wireless devices are a target of attack
• Unique implementations of active scanning can be
  used to fingerprint a wireless driver
• According to our results, this method of
  fingerprinting is highly accurate and efficient
• Now that more drivers are externally accessible,
  a larger focus needs to be placed on their
  software security