Transcript Document 7564955

Vulnerability Analysis and
Intrusion Mitigation Systems
for WiMAX Networks
Yan Chen, Hai Zhou
Motorola Liaisons
Northwestern Lab for Internet Greg W. Cox, Z. Judy Fu,
and Security Technology (LIST) Peter McCann, and Philip R.
Roberts
Dept. of Electrical Engineering
and Computer Science
Motorola Labs
Northwestern University
http://list.cs.northwestern.edu
The Current Threat Landscape and
Countermeasures of WiMAX Networks
• WiMAX: next wireless phenomenon
– Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
network attacks
– E.g., 6 new viruses, including Cabir and Skulls, with 30
variants targeting mobile devices
• Goal of this project: secure WiMAX networks
• Big security risks for WiMAX networks
– No formal analysis about WiMAX security vulnerabilities
– No intrusion detection/mitigation product/research
tailored towards WiMAX networks
Security Challenges in Wireless
Networks
• Wireless networks are more vulnerable than
wired networks
– Open media
» Easy to sniff, spoof and inject packets
– Open access
» Hotspots and potential large user population
• Attacking is more diverse
– On media access (e.g., jamming), but easy to detect
– On protocols (our focus)
Our Approach
• Vulnerability analysis of WiMAX networks at
various layers
– IEEE 802.16e: MAC layer (done in year 2)
– Mobile IP v4/6: network layer (started in year 2)
– EAP layer
• Adaptive Intrusion Detection and Mitigation for
WiMAX Networks (WAIDM)
– Could be differentiator for Motorola’s 802.16 products
– Focus on the emerging threats: polymorphic zero-day
worms and botnets
Outline
• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Network-based zero-day polymorphic worm
signature generation
• DoS attacks of wireless networks with error
messages on EAP-TLS protocols
Accomplishments This Year (I)
• Most achieved with close interaction with Motorola
liaisons
• Automatic polymorphic worm signature generation
systems for high-speed networks
– Fast, noise tolerant w/ proved attack resilience
– Resulted a joint paper with Motorola Labs
“Network-based and Attack-resilient Length Signature
Generation for Zero-day Polymorphic Worms”, published
in to IEEE International Conference on Network
Protocols (ICNP) 2007 (14% acceptance rate).
– Patent filed through Motorola.
» “Method and Apparatus to Facilitate Generating Worm-Detection
Signatures Using Data Packet Field Lengths”, U.S. Patent
Application No. 11/985,760. Filed on Dec. 18, 2007.
– A journal paper submitted to IEEE/ACM Trans. on Net.
Accomplishments This Year (II)
• Vulnerability analysis of wireless network protocols
– IP layer and authentication layer
• Found a general “error-message” based attacks
• Attacking requirements
– Sniffing
– Spoofing before authenticated
• Basic ideas
– Spoof and inject error messages or wrong messages that
trigger error messages
– Clients’ requests fail -- lead to DoS attacks
• Examples of vulnerable protocols
– EAP-TLS protocol
– Mobile IPv6 routing optimization
Accomplishments on Publications
• Three conference, one journal papers and two book chapters
– “Accurate and Efficient Traffic Monitoring Using Adaptive Nonlinear Sampling Method", to appear in the Proc. of IEEE INFOCOM,
2008
– “Honeynet-based Botnet Scan Traffic Analysis", invited book chapter
for “Botnet Detection: Countering the Largest Security Threat”,
Springer, 2007.
– “Integrated Fault and Security Management”, invited book chapter
for “Information Assurance: Dependability and Security in
Networked Systems”, Morgan Kaufmann Publishers, 2007.
– “Reversible Sketches: Enabling Monitoring and Analysis over Highspeed Data Streams”, in ACM/IEEE Transaction on Networking,
Volume 15, Issue 5, Oct. 2007.
– “Network-based and Attack-resilient Length Signature Generation
for Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE
International Conference on Network Protocols (ICNP), 2007
– “Detecting Stealthy Spreaders Using Online Outdegree Histograms”,
in the Proc. of the 15th IEEE International Workshop on Quality of
Service (IWQoS), 2007
Students Involved
• PhD students:
– Zhichun Li, Yao Zhao (all in their 4th years)
– Lanjia Wang, Yanmei Zhang (visiting PhD students)
• MS students:
– Sagar Vemuri (1st year)
– Jiazhen Chen (2nd year)
Outline
• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Network-based zero-day polymorphic worm
signature generation
• DoS attacks of wireless networks with error
messages on EAP-TLS protocols
Limitations of Exploit Based
Signature
Signature: 10.*01
1010101
10111101
Internet
Traffic
Filtering
X
X
11111100
Our network
00010111
Polymorphism!
Polymorphic worms may not have any
exact exploit based signatures.
11
Vulnerability Signature
Internet
Vulnerability
signature traffic
filtering
X
X
Our network
X
X
Unknown
Vulnerability
Works for polymorphic worms
Works for all the worms which target
the same vulnerability
12
Benefits of Network Based
Detection
Internet
Gateway routers
Our network
Host based
detection
• At the early stage of the worm, only
limited worm samples.
• Host based sensors can only cover limited
IP space, which might have scalability 13
issues.
Early Detection!
Basic Ideas
• At least 75%
vulnerabilities are due
to buffer overflow
• Intrinsic to buffer
overflow vulnerability
and hard to evade
• However, there could
be thousands of fields
to select the optimal
field set is hard
Overflow!
Protocol message
Vulnerable
buffer
14
Framework
Network
Tap
TCP
25
Known
Worm
Filter
Worm
Flow
Classifier
Protocol
Classifier
TCP
53
TCP
80
. . .
Suspicious
Traffic Pool
TCP
137
UDP
1434
LESG
Signatures
Real time
Normal traffic
reservoir
ICDCS06,
INFOCOM06,
TON 07
Normal
Traffic Pool
Policy driven
15
LESG Signature Generator
16
Evaluation Methodology
• Worm workload
– Eight polymorphic worms created based on real
world vulnerabilities including CodeRed II and Lion
worms.
– DNS, SNMP, FTP, SMTP
• Normal traffic data
– 27GB from a university gateway and 123GB email log
17
Results
• Single/Multiple worms with noise
– Noise ratio: 0~80%
– False negative: 0~1% (mostly 0)
– False positive: 0~0.01% (mostly 0)
• Pool size requirement
– 10 or 20 flows are enough even with 20% noises
• Speed results
– With 500 samples in suspicious pool and 320K
samples in normal pool, For DNS, parsing 58 secs,
LESG 18 secs
18
In Summary
• A novel network-based automated
worm signature generation approach
– Works for zero day polymorphic worms
with unknown vulnerabilities
– First work which is both Vulnerability
based and Network based using length
signature for buffer overflow
vulnerabilities
– Provable attack resilience
– Fast and accurate through experiments
19
Outline
• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Network-based zero-day polymorphic worm
signature generation
• DoS attacks of wireless networks with error
messages on EAP-TLS protocols
EAP Authentication on Wireless Networks
• TLS provides mutual authentication and key
exchange.
Authentication
primitive
Transport Layer Security (TLS)
EAP-TLS
EAP-TTLS
PEAP
EAP-FAST
Authentication
method layer
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
802.11
WLAN
Data Link Layer
TLS Conversation (Successful)
Server End
Client End
TLS Handshake
Protocol
Hello Request
A TLS client and
server negotiate a
stateful connection
using a handshake
procedure.
Server Hello
Server Certificate
Key-exchange message
Server Hello Done
Client Hello
Client Key-exchange message
Change cipher Spec
TLS finished
Change cipher Spec
TLS finished
Encrypted conversation over TLS
TLS Conversation (Failed)
Server End
Client End
Hello Request
Client Hello
When transmission or
receipt of an fatal alert
message, both parties
immediately close the
connection.
Server Hello
Server Certificate
Server Key-exchange message
Server Hello Done
Client Key-exchange message
Change cipher spec
TLS Finished
Error_Alert (Fatal level)
Close_notify
Close_notify
EAP-TLS - Vulnerability
• Sniffing to know the client MAC address and IDs
– Packet in clear text before authentication
– Regardless of whether WEP, WPA, or WPA2 is used
• Spoofing error messages
– Before authentication is done, attacker spoofs an alert
message of level ‘fatal‘, followed by a close notify alert.
– Then the handshake protocol fails and needs to be tried
again.
• Complete DoS attack
– The attacker repeats the previous steps to stop all the
retries
Experiments with Northwestern wireless network is
in progress.
24
Conclusions
• Network-based zero-day polymorphic worm
signature generation
• Vulnerability analysis of wireless network protocols:
mobile IP and EAP-TLS
• Closed work w/ Motorola liaisons
– Joint conference paper published, a journal paper
submitted and a patent filed
• Completed prototype/implementation code
accessible to Motorola under the agreement
Thank You !
Deployment of WAIDM
User
s
802.16
BS
802.16
BS
802.16
BS
User
s
Internet
Users
Inter
net
scan
port WAIDM
system
• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of global scale
attacks
• Could be differentiator for Motorola’s 802.16 products
Switch/
BS controller
Switch/
BS controller
802.16
BS
Users
(a)
Original configuration
(b) WAIDM
deployed
Experiment in Lab
Server End
Client End
Attacker
• We conducted a real-world experiment
demonstrating the practicality of the attack on
TLS by performing a DoS attack on
Northwestern University’s wireless network.
• Northwestern Wireless requires the users to
authenticate to it using PEAP (Protected EAP),
which internally uses TLS 1.0 as the security
method for authentication.
• The user provides his ID (NetID) and
password, which are then verified at a backend Authentication Server.
•We used:
•libpcap library to sniff the channel
•lorcon libray to set the different parameters of the wireless network
card and send spoofed messages.
•Proxim Orinoco Gold wireless network adapter
•MADWifi (madwifi-ng) drivers.
27
EAP-TLS - Attack in Action
Attacker
Client End
Server End
Hello Request
Error Alert
Client Hello
(Fatal)
Close_Notify
Server Hello
Server Certificate
Server Key-exchange message
Certification Request
Server Hello Done
•Simple attack: Error alert message of level ‘fatal‘ followed by a
close notify alert
28
Potential Solutions
• Enhance the robustness of authentication
protocols for wireless access
– Delayed response
» Wait for a short time to allow multiple responses
– Trust good response
» Attacker cannot finally pass authentication by always
spoofing good responses
29