7 research outputs found
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabilities (WIFI)
The growing volume of attacks on the Internet has increased the demand for more robust systems and sophisticated tools for vulnerability analysis, intrusion detection, forensic investigations, and possible responses. Current hacker tools and technologies warrant reengineering to address cyber crime and homeland security. The being aware of the flaws on a network is necessary to secure the information infrastructure by gathering network topology, intelligence, internal/external vulnerability analysis, and penetration testing. This paper has as main objective to minimize damages and preventing the attackers from exploiting weaknesses and vulnerabilities in the 4 ways handshake (WIFI).We equally present a detail study on various attacks and some solutions to avoid or prevent such attacks in WLAN
I know your MAC address: targeted tracking of individual using Wi-Fi
International audienceThis work is about wireless communications technologies embedded in portable devices, namely Wi-Fi, Bluetooth and GSM. Focusing on Wi-Fi, we study the privacy issues and potential missuses that can affect the owners of wireless-enabled portable devices. Wi-Fi enable-devices periodically broadcast in plain-text their unique identifier along with other sensitive information. As a consequence, their owners are vulnerable to a range of privacy breaches such as the tracking of their movement and inference of private information (Cunche et al. in Pervasive Mobile Comput, 2013; Greenstein in Proceedings of the 11th USENIX workshop on hot topics in operating systems, pp 10:1-10:6. USENIX Association, Berkeley, 2007). As serious as those information leakage can be, linking a device with an individual and its real world identity is not a straightforward task. Focusing on this problem, we present a set of attacks that allow an attacker to link a Wi-Fi device to its owner identity. We present two methods that, given an individual of interest, allow identifying the MAC address of its Wi-Fi enabled portable device. Those methods do not require a physical access to the device and can be performed remotely, reducing the risks of being noticed. Finally we present scenarios in which the knowledge of an individual MAC address could be used for mischief
BaseSAFE: Baseband SAnitized Fuzzing through Emulation
Rogue base stations are an effective attack vector. Cellular basebands
represent a critical part of the smartphone's security: they parse large
amounts of data even before authentication. They can, therefore, grant an
attacker a very stealthy way to gather information about calls placed and even
to escalate to the main operating system, over-the-air. In this paper, we
discuss a novel cellular fuzzing framework that aims to help security
researchers find critical bugs in cellular basebands and similar embedded
systems. BaseSAFE allows partial rehosting of cellular basebands for fast
instrumented fuzzing off-device, even for closed-source firmware blobs.
BaseSAFE's sanitizing drop-in allocator, enables spotting heap-based
buffer-overflows quickly. Using our proof-of-concept harness, we fuzzed various
parsers of the Nucleus RTOS-based MediaTek cellular baseband that are
accessible from rogue base stations. The emulator instrumentation is highly
optimized, reaching hundreds of executions per second on each core for our
complex test case, around 15k test-cases per second in total. Furthermore, we
discuss attack vectors for baseband modems. To the best of our knowledge, this
is the first use of emulation-based fuzzing for security testing of commercial
cellular basebands. Most of the tooling and approaches of BaseSAFE are also
applicable for other low-level kernels and firmware. Using BaseSAFE, we were
able to find memory corruptions including heap out-of-bounds writes using our
proof-of-concept fuzzing harness in the MediaTek cellular baseband. BaseSAFE,
the harness, and a large collection of LTE signaling message test cases will be
released open-source upon publication of this paper
Tolerating Malicious Device Drivers in Linux
URL to paper from conference siteThis paper presents SUD, a system for running existing
Linux device drivers as untrusted user-space processes.
Even if the device driver is controlled by a malicious
adversary, it cannot compromise the rest of the system.
One significant challenge of fully isolating a driver is to
confine the actions of its hardware device. SUD relies on
IOMMU hardware, PCI express bridges, and message-signaled
interrupts to confine hardware devices. SUD
runs unmodified Linux device drivers, by emulating a
Linux kernel environment in user-space. A prototype of
SUD runs drivers for Gigabit Ethernet, 802.11 wireless,
sound cards, USB host controllers, and USB devices, and
it is easy to add a new device class. SUD achieves the
same performance as an in-kernel driver on networking
benchmarks, and can saturate a Gigabit Ethernet link.
SUD incurs a CPU overhead comparable to existing runtime
driver isolation techniques, while providing much
stronger isolation guarantees for untrusted drivers. Finally,
SUD requires minimal changes to the kernel—just two
kernel modules comprising 4,000 lines of code—which
may at last allow the adoption of these ideas in practice
Recommended from our members
Exploring the Augmentation of Fuzzing Techniques with Interface Awareness
Device drivers are an essential part in modern Unix-like systems to handle operations on physical devices, from hard disks and printers to digital cameras and Bluetooth speakers. The surge of new hardware, particularly on mobile devices, introduces an explosive growth of device drivers in system kernels. Many such drivers are provided by third-party developers, which are susceptible to security vulnerabilities and lack proper vetting. Unfortunately, the complex input data structures for device drivers render traditional analysis tools, such as fuzz testing, less effective, and so far, research on kernel driver security is comparatively sparse.In my thesis, I present DIFUZE, an interface-aware fuzzing tool to automatically generate valid inputs and trigger the execution of the kernel drivers. We leverage static analysis to compose correctly-structured input in the userspace to explore kernel drivers. DIFUZE is fully automatic, ranging from identifying driver handlers, to mapping of device file names, to constructing complex argument instances. We evaluate our approach on seven modern Android smartphones. The results show that DIFUZE can effectively identify kernel driver bugs, and reports 32 previously unknown vulnerabilities, including flaws that lead to arbitrary code execution