What would you
like to identify
today?
Passive Data Link Layer 802.11
Wireless Device Driver
Fingerprinting
Jason Franklin, Damon McCoy, Parisa Tabriz,
Vicentiu Neagoe, Jamie Van Randwyk,
Douglas Sicker
Be Pessimistic!
• Today, we take a glass is
half-empty view of
device driver security.
• We present a
fingerprinting technique
for 802.11 device drivers
under the premise that
wireless device drivers
are and will remain
vulnerable.
Half-empty
Outline
I.
II.
III.
IV.
V.
VI.
Motivation
802.11 and all that jazz
Fingerprinting Approach
Evaluation
Preventative Measures
Wrap up
Motivation
• 802.11 is everywhere.
– Coffee shops, airports, homes, businesses, here!
– Full-city coverage (San Francisco, London, Chicago)
• Driver-specific exploits are an emerging threat.
– Drivers are complex, numerous, buggy, and usually
NOT easy to externally interact with.
– Wireless drivers, however, are externally accessible.
– 802.11 driver exploits already exist.
– New APIs for 802.11 packet generation will make
writing exploits easier.
802.11 Basics
Station: Device with wireless
capabilities (laptop, PDA, etc.)
Access Point: Device that acts as a
communication hub for wireless
devices connected to a wireless LAN
Wireless Frame: Unit of data at
data-link layer
Fingerprinting
• What is fingerprinting?
– Process by which a target object is identified by its
externally observable characteristics
What would you
like to identify
today?
Target Device
Fingerprinter
Device Driver Fingerprinting
• Utility of fingerprinting
– Intrusion detection: detecting MAC address spoofing
– Network forensics: narrow or verify source of
network event or security incident
– Reconnaissance: targeted attacks
• Why not use the MAC Address?
– MAC address is one way to identify a NIC
manufacturer
– Easy to change (spoof) to another legitimate, copied,
or fictitious MAC
802.11 Active Scanning
• A station sends probe request frames when it needs to discover access
points in a wireless network. This process is known as active
scanning.
• The IEEE 802.11 standard specifies active scanning as…
For every channel:
Broadcast probe request frame;
Start channel timer, t;
If t reaches MinChannelTime AND current channel is IDLE:
Scan to the next channel;
Else
Wait until t reaches MaxChannelTime;
Process probe response frames from current channel;
Scan to the next channel;
• The remaining details of this process implementation are
determined by wireless driver authors…
Intuition
• As you may have guessed, we distinguish
drivers based on unique active scanning!
D-Link driver
D-Link DWL-G520 PCI Wireless NIC
Cisco driver
Aironet AIR-CB21AG-A-K9 PCI Wireless NIC
Fingerprinting Approach
REQ
REQ
REQ
Driver signature
Outline of Method
Supervised Bayesian Classification:
1. Create tagged signatures (Bayesian Models)
• 17 different device drivers
• 12 hour traffic traces
2. Capture traffic trace for an unidentified
driver
3. Compare how close the unidentified trace is
to every tagged signature and identify based
on nearest match
Signature Generation
• Driver signatures are based
on the delta arrival time
between probe requests.
• Signatures are obtained via
binning with an empirically
tuned and fixed bin width.
1. Record the percentage of probe
requests placed in each bin
2. Record the average, for each bin,
of all actual (non-rounded) delta
arrival time values in that bin
3. Generate a vector initialized
with these parameters as the
signature for that driver
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0.06
1.19
1.27
2.5
3.81
Windows Engenius driver
signature.
Identification
• Calculate how close the trace is to every
known driver signature using distance
metric
• Trace is identified as having the driver
with the signature that is the closest
according to our metric
Factors that Effect Probing
• Association status
–
–
Associated to an access point
Unassociated
• Driver management
–
–
Managed by Windows
Managed by NIC vendor
drivers
Experimental Setup
• The fingerprinter: Pentium 4 running Linux
with a Cisco Aironet a/b/g wireless card
• The victims: 17 different wireless drivers,
including drivers from Apple, Cisco, D-link,
Intel, Linksys, Madwifi, Netgear, Proxim, and
SMC
• The signature database: 31 unique driver
signatures with tags and signature of the format:
driver assoc-status manager : (bin, % in bin, mean)
Experimental Setup
Test set #1, Master Signature Database (Lab):
– No background traffic
– No obstructions
Test set #2 (Home network):
– No background traffic
– Wall between fingerprinter and victim
Test set #3 (Coffee house):
– Background wireless traffic
– Miscellaneous objects fingerprinter and victim
Test
Set
Successful
Total
Accuracy
1
55
57
96%
2
48
57
84%
3
44
57
77%
Number of Drivers
Results
10
9
8
7
6
5
4
3
2
1
0
100
99-90
89-80
79-70
Accuracy of Driver Percentage
69-60
Fingerprinting Accuracy (Percentage)
Results
Trace Data (Minutes)
Limitations
• Cannot distinguish between different
driver versions
• Accuracy is sensitive to network
conditions
Preventing Fingerprinting
• Standardize IEEE 802.11 active scanning
– Power constrained devices will want to probe less
often then devices worried about quick handoffs
• Support configurable active scanning
– Off by default?
– Can we expect users to understand when to
appropriately enable or disable active scanning?
• Inject probe requests to disguise driver behavior
– Wastes power and bandwidth
– Difficult to ensure that the noise is masking the driver
Preventing Fingerprinting
• Modify driver code
– Extremely difficult with closed source drivers
– Non-trivial to modify even in open source
drivers
• Patch existing drivers
– Best effort to mitigate driver exploits
– A usable and efficient patching process is
needed to fix existing and future
vulnerabilities discovered in device drivers
Conclusions
• Wireless devices are a target of attack
• Unique implementations of active scanning can
be used to fingerprint a wireless driver
• According to our results,Questions?
this method of
fingerprinting is highly accurate and efficient
• Now that more drivers are externally accessible,
a larger focus needs to be placed on their
software security