97 research outputs found
A Game of One/Two Strategic Friendly Jammers Versus a Malicious Strategic Node
We present a game-theoretic analysis of the interaction between a malicious node, attempting to perform unauthorized radio transmission, and friendly jammers trying to disrupt the malicious communications. We investigate the strategic behavior of the jammers against a rational malicious node and highlight counterintuitive results for this conflict. We also analyze the impact of multiple friendly jammers sharing the same goal but acting without coordination; we find out that this scenario offers a better payoff for the jammers, which has some strong implications on how to implement friendly jamming
Nap: Practical Micro-Sleeps for 802.11 WLANs
In this paper, we revisit the idea of putting interfaces to sleep during
'packet overhearing' (i.e., when there are ongoing transmissions addressed to
other stations) from a practical standpoint. To this aim, we perform a robust
experimental characterisation of the timing and consumption behaviour of a
commercial 802.11 card. We design Nap, a local standard-compliant
energy-saving mechanism that leverages micro-sleep opportunities inherent to
the CSMA operation of 802.11 WLANs. This mechanism is backwards compatible and
incrementally deployable, and takes into account the timing limitations of
existing hardware, as well as practical CSMA-related issues (e.g., capture
effect). According to the performance assessment carried out through
trace-based simulation, the use of our scheme would result in a 57% reduction
in the time spent in overhearing, thus leading to an energy saving of 15.8% of
the activity time.Comment: 15 pages, 12 figure
Maximising the Utility of Enterprise Millimetre-Wave Networks
Millimetre-wave (mmWave) technology is a promising candidate for meeting the
intensifying demand for ultra fast wireless connectivity, especially in
high-end enterprise networks. Very narrow beam forming is mandatory to mitigate
the severe attenuation specific to the extremely high frequency (EHF) bands
exploited. Simultaneously, this greatly reduces interference, but generates
problematic communication blockages. As a consequence, client association
control and scheduling in scenarios with densely deployed mmWave access points
become particularly challenging, while policies designed for traditional
wireless networks remain inappropriate. In this paper we formulate and solve
these tasks as utility maximisation problems under different traffic regimes,
for the first time in the mmWave context. We specify a set of low-complexity
algorithms that capture distinctive terminal deafness and user demand
constraints, while providing near-optimal client associations and airtime
allocations, despite the problems' inherent NP-completeness. To evaluate our
solutions, we develop an NS-3 implementation of the IEEE 802.11ad protocol,
which we construct upon preliminary 60GHz channel measurements. Simulation
results demonstrate that our schemes provide up to 60% higher throughput as
compared to the commonly used signal strength based association policy for
mmWave networks, and outperform recently proposed load-balancing oriented
solutions, as we accommodate the demand of 33% more clients in both static and
mobile scenarios.Comment: 22 pages, 12 figures, accepted for publication in Computer
Communication
Dead on Arrival: An Empirical Study of The Bluetooth 5.1 Positioning System
The recently released Bluetooth 5.1 specification introduces fine-grained
positioning capabilities in this wireless technology, which is deemed essential
to context-/location-based Internet of Things (IoT) applications. In this
paper, we evaluate experimentally, for the first time, the accuracy of a
positioning system based on the Angle of Arrival (AoA) mechanism adopted by the
Bluetooth standard. We first scrutinize the fidelity of angular detection and
then assess the feasibility of using angle information from multiple fixed
receivers to determine the position of a device. Our results reveal that
angular detection is limited to a restricted range. On the other hand, even in
a simple deployment with only two antennas per receiver, the AoA-based
positioning technique can achieve sub-meter accuracy; yet attaining
localization within a few centimeters remains a difficult endeavor. We then
demonstrate that a malicious device may be able to easily alter the
truthfulness of the measured AoA, by tampering with the packet structure. To
counter this protocol weakness, we propose simple remedies that are missing in
the standard, but which can be adopted with little effort by manufacturers, to
secure the Bluetooth 5.1 positioning system.Comment: 8 pages, 11 figure
Implementation and Experimental Evaluation of a Collision-Free MAC Protocol for WLANs
Collisions are a main cause of throughput degradation in Wireless LANs. The
current contention mechanism for these networks is based on a random backoff
strategy to avoid collisions with other transmitters. Even though it can reduce
the probability of collisions, the random backoff prevents users from achieving
Collision-Free schedules, where the channel would be used more efficiently.
Modifying the contention mechanism by waiting for a deterministic timer after
successful transmissions, users would be able to construct a Collision-Free
schedule among successful contenders. This work shows the experimental results
of a Collision-Free MAC (CF-MAC) protocol for WLANs using commercial hardware
and open firmware for wireless network cards which is able to support many
users. Testbed results show that the proposed CF-MAC protocol leads to a better
distribution of the available bandwidth among users, higher throughput and
lower losses than the unmodified WLANs clients using a legacy firmware.Comment: This paper was submitted to the IEEE International Conference on
Communications 2015 and it is waiting for approva
Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets
Wireless communication standards and implementations have a troubled history
regarding security. Since most implementations and firmwares are closed-source,
fuzzing remains one of the main methods to uncover Remote Code Execution (RCE)
vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from
several shortcomings, such as constrained speed, limited repeatability, and
restricted ability to debug. In this paper, we present Frankenstein, a fuzzing
framework based on advanced firmware emulation, which addresses these
shortcomings. Frankenstein brings firmware dumps "back to life", and provides
fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing
method is sufficient to maintain interoperability with the attached operating
system, hence triggering realistic full-stack behavior. We demonstrate the
potential of Frankenstein by finding three zero-click vulnerabilities in the
Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many
Samsung smartphones, the Raspberry Pis, and many others.
Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond
the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that
crashes multiple operating system kernels and a design flaw in the Bluetooth
5.2 specification that allows link key extraction from the host. Turning off
Bluetooth will not fully disable the chip, making it hard to defend against RCE
attacks. Moreover, when testing our chip-based vulnerabilities on those
devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit
Looking for Criminal Intents in JavaScript Obfuscated Code
The majority of websites incorporate JavaScript for client-side execution in a supposedly protected environment. Unfortunately, JavaScript has also proven to be a critical attack vector for both independent and state-sponsored groups of hackers. On the one hand, defenders need to analyze scripts to ensure that no threat is delivered and to respond to potential security incidents. On the other, attackers aim to obfuscate the source code in order to disorient the defenders or even to make code analysis practically impossible. Since code obfuscation may also be adopted by companies for legitimate intellectual-property protection, a dilemma remains on whether a script is harmless or malignant, if not criminal. To help analysts deal with such a dilemma, a methodology is proposed, called JACOB, which is based on five steps, namely: (1) source code parsing, (2) control flow graph recovery, (3) region identification, (4) code structuring, and (5) partial evaluation. These steps implement a sort of decompilation for control flow flattened code, which is progressively transformed into something that is close to the original JavaScript source, thereby making eventual code analysis possible. Most relevantly, JACOB has been successfully applied to uncover unwanted user tracking and fingerprinting in e-commerce websites operated by a well-known Chinese company
- …