94 research outputs found
Formal-Guided Fuzz Testing: Targeting Security Assurance from Specification to Implementation for 5G and Beyond
Softwarization and virtualization in 5G and beyond necessitate thorough
testing to ensure the security of critical infrastructure and networks,
requiring the identification of vulnerabilities and unintended emergent
behaviors from protocol designs to their software stack implementation. To
provide an efficient and comprehensive solution, we propose a novel and
first-of-its-kind approach that connects the strengths and coverage of formal
and fuzzing methods to efficiently detect vulnerabilities across protocol logic
and implementation stacks in a hierarchical manner. We design and implement
formal verification to detect attack traces in critical protocols, which are
used to guide subsequent fuzz testing and incorporate feedback from fuzz
testing to broaden the scope of formal verification. This innovative approach
significantly improves efficiency and enables the auto-discovery of
vulnerabilities and unintended emergent behaviors from the 3GPP protocols to
software stacks. Following this approach, we discover one identifier leakage
model, one DoS attack model, and two eavesdrop attack models due to the absence
of rudimentary MITM protection within the protocol, despite the existence of a
Transport Layer Security (TLS) solution to this issue for over a decade. More
remarkably, guided by the identified formal analysis and attack models, we
exploit 61 vulnerabilities using fuzz testing demonstrated on srsRAN platforms.
These identified vulnerabilities contribute to fortifying protocol-level
assumptions and refining the search space. Compared to state-of-the-art fuzz
testing, our united formal and fuzzing methodology enables auto-assurance by
systematically discovering vulnerabilities. It significantly reduces
computational complexity, transforming the non-practical exponential growth in
computational cost into linear growth
BaseSAFE: Baseband SAnitized Fuzzing through Emulation
Rogue base stations are an effective attack vector. Cellular basebands
represent a critical part of the smartphone's security: they parse large
amounts of data even before authentication. They can, therefore, grant an
attacker a very stealthy way to gather information about calls placed and even
to escalate to the main operating system, over-the-air. In this paper, we
discuss a novel cellular fuzzing framework that aims to help security
researchers find critical bugs in cellular basebands and similar embedded
systems. BaseSAFE allows partial rehosting of cellular basebands for fast
instrumented fuzzing off-device, even for closed-source firmware blobs.
BaseSAFE's sanitizing drop-in allocator, enables spotting heap-based
buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various
parsers of the Nucleus RTOS-based MediaTek cellular baseband that are
accessible from rogue base stations. The emulator instrumentation is highly
optimized, reaching hundreds of executions per second on each core for our
complex test case, around 15k test-cases per second in total. Furthermore, we
discuss attack vectors for baseband modems. To the best of our knowledge, this
is the first use of emulation-based fuzzing for security testing of commercial
cellular basebands. Most of the tooling and approaches of BaseSAFE are also
applicable for other low-level kernels and firmware. Using BaseSAFE, we were
able to find memory corruptions including heap out-of-bounds writes using our
proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE,
the harness, and a large collection of LTE signaling message test cases will be
released open-source upon publication of this paper
Project BeARCAT : Baselining, Automation and Response for CAV Testbed Cyber Security : Connected Vehicle & Infrastructure Security Assessment
Connected, software-based systems are a driver in advancing the technology of transportation systems. Advanced automated and autonomous vehicles, together with electrification, will help reduce congestion, accidents and emissions. Meanwhile, vehicle manufacturers see advanced technology as enhancing their products in a competitive market. However, as many decades of using home and enterprise computer systems have shown, connectivity allows a system to become a target for criminal intentions. Cyber-based threats to any system are a problem; in transportation, there is the added safety implication of dealing with moving vehicles and the passengers within
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Wireless communication standards and implementations have a troubled history
regarding security. Since most implementations and firmwares are closed-source,
fuzzing remains one of the main methods to uncover Remote Code Execution (RCE)
vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from
several shortcomings, such as constrained speed, limited repeatability, and
restricted ability to debug. In this paper, we present Frankenstein, a fuzzing
framework based on advanced firmware emulation, which addresses these
shortcomings. Frankenstein brings firmware dumps "back to life", and provides
fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing
method is sufficient to maintain interoperability with the attached operating
system, hence triggering realistic full-stack behavior. We demonstrate the
potential of Frankenstein by finding three zero-click vulnerabilities in the
Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many
Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond
the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that
crashes multiple operating system kernels and a design flaw in the Bluetooth
5.2 specification that allows link key extraction from the host. Turning off
Bluetooth will not fully disable the chip, making it hard to defend against RCE
attacks. Moreover, when testing our chip-based vulnerabilities on those
devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit
InternalBlue - Bluetooth Binary Patching and Experimentation Framework
Bluetooth is one of the most established technologies for short range digital
wireless data transmission. With the advent of wearables and the Internet of
Things (IoT), Bluetooth has again gained importance, which makes security
research and protocol optimizations imperative. Surprisingly, there is a lack
of openly available tools and experimental platforms to scrutinize Bluetooth.
In particular, system aspects and close to hardware protocol layers are mostly
uncovered.
We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread
in off-the-shelf devices. Thus, we offer deep insights into the internal
architecture of a popular commercial family of Bluetooth controllers used in
smartphones, wearables, and IoT platforms. Reverse engineered functions can
then be altered with our InternalBlue Python framework---outperforming
evaluation kits, which are limited to documented and vendor-defined functions.
The modified Bluetooth stack remains fully functional and high-performance.
Hence, it provides a portable low-cost research platform.
InternalBlue is a versatile framework and we demonstrate its abilities by
implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we
discover a novel critical security issue affecting a large selection of
Broadcom chipsets that allows executing code within the attacked Bluetooth
firmware. We further show how to use our framework to fix bugs in chipsets out
of vendor support and how to add new security features to Bluetooth firmware
IoT-MQTT based denial of service attack modelling and detection
Internet of Things (IoT) is poised to transform the quality of life and provide new business opportunities with its wide range of applications. However, the bene_ts of this emerging paradigm are coupled with serious cyber security issues. The lack of strong cyber security measures in protecting IoT systems can result in cyber attacks targeting all the layers of IoT architecture which includes the IoT devices, the IoT communication protocols and the services accessing the IoT data. Various IoT malware such as Mirai, BASHLITE and BrickBot show an already rising IoT device based attacks as well as the usage of infected IoT devices to launch other cyber attacks. However, as sustained IoT deployment and functionality are heavily reliant on the use of e_ective data communication protocols, the attacks on other layers of IoT architecture are anticipated to increase. In the IoT landscape, the publish/- subscribe based Message Queuing Telemetry Transport (MQTT) protocol is widely popular. Hence, cyber security threats against the MQTT protocol are projected to rise at par with its increasing use by IoT manufacturers. In particular, the Internet exposed MQTT brokers are vulnerable to protocolbased Application Layer Denial of Service (DoS) attacks, which have been known to cause wide spread service disruptions in legacy systems. In this thesis, we propose Application Layer based DoS attacks that target the authentication and authorisation mechanism of the the MQTT protocol. In addition, we also propose an MQTT protocol attack detection framework based on machine learning. Through extensive experiments, we demonstrate the impact of authentication and authorisation DoS attacks on three opensource MQTT brokers. Based on the proposed DoS attack scenarios, an IoT-MQTT attack dataset was generated to evaluate the e_ectiveness of the proposed framework to detect these malicious attacks. The DoS attack evaluation results obtained indicate that such attacks can overwhelm the MQTT brokers resources even when legitimate access to it was denied and resources were restricted. The evaluations also indicate that the proposed DoS attack scenarios can signi_cantly increase the MQTT message delay, especially in QoS2 messages causing heavy tail latencies. In addition, the proposed MQTT features showed high attack detection accuracy compared to simply using TCP based features to detect MQTT based attacks. It was also observed that the protocol _eld size and length based features drastically reduced the false positive rates and hence, are suitable for detecting IoT based attacks
Overview of the Course in “Wireless and Mobile Security”
This paper provides an overview of “Wireless and Mobile Security” course. The course offers practical study of security issues and features concerning wireless security. The program of the course effciently interleaves systematic theoretical knowledge and practical work. The theoretical part of the course includes basic information about the architecture of wireless networks, as well as available in this area to modern standards and protection mechanisms built into the equipment for wireless networks. It is also proposed an effective method for integrating a wireless network with the existing network infrastructure, taking into account all aspects of security. More than 50 percent of teaching time is devoted to practical work on the protection of wireless networks.
During the course skills to work with software NetStumbler, Kismet, AirSnort, Aircrack, and other monitoring wireless and network tools will be acquired. Particular attention is paid to the use of the most common tools of audit wireless networks, both commercial, and open source. In conclusion, a comprehensive approach to wireless security will be offered for each wireless technology
- …