Adversary models in wireless security Suman Banerjee Department of Computer Sciences...
-
Upload
brett-miller -
Category
Documents
-
view
213 -
download
0
Transcript of Adversary models in wireless security Suman Banerjee Department of Computer Sciences...
![Page 1: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/1.jpg)
Adversary models in wireless security
Suman Banerjee
Department of Computer Sciences
Wisconsin Wireless and NetworkinG Systems (WiNGS) Laboratory
![Page 2: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/2.jpg)
Wireless localization
Madison municipal WiFi mesh network• • 9 square miles area• 200+ APs
![Page 3: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/3.jpg)
Wireless AP radio
Wireless backbone radio
Municipal Wi-Fi Mesh in Madison
Mesh AP on street light
![Page 4: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/4.jpg)
SERIAL ETHERNET
SERIAL ETHERNET
SERIAL ETHERNET
Gateway
Mesh Router
SERIAL ETHERNET
SERIAL ETHERNET
SERIAL ETHERNET
Municipal Wi-Fi Mesh in Madison
![Page 5: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/5.jpg)
Location applications
•Assume a disaster scenario
Locate position of each rescue personnel within the city in a reliable, secure fashion
Can take advantage of existing (trusted?) WiFi mesh deployment and wireless communication of rescue personnel
![Page 6: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/6.jpg)
Location applications
GPRS1
UMTS
WLAN
GPRS1
UMTS
GPRS2
• Real-time city-bus fleet management
• Where are the different buses?
![Page 7: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/7.jpg)
Location security
• Prove a user’s location to the infrastructure• GPS does not help
• Adversarial scenarios:– Integrity attacks:
• Attacker pretends to be in a different location• Attacker makes the system believe that the victim is in a different
location
– Privacy attack:• Attacker infers location of victim and can track the victim
![Page 8: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/8.jpg)
A specific localization approach
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Partition space into a grid
• System transmits some packets
• Participant reports RSSI tuple observed
• RSSI tuple is unique to a location and is the location signature
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 9: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/9.jpg)
Adversarial models (1)
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Attacker present in one location and observes all traffic using a regular antenna– May be able to infer
the RSSI tuple at victim
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 10: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/10.jpg)
Potential countermeasure
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• System can employ randomization– Hide transmitter MAC
address– Use random transmit
power each time
• Attacker may not know which packet is transmitted by which transmitter– Makes inferencing
difficult
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 11: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/11.jpg)
Adversarial models (2)
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Attacker able to tell Angle/Direction-of-Arrival
• Randomization may not help
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 12: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/12.jpg)
Adversarial models (3)
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Even more sophisticated attacker– Present in multiple
locations– Can allow attacker
to have better location inference
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 13: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/13.jpg)
Time-scheduled transmissions by the system that induce collisions may make inferencing harder
SERIAL ETHERNET
SERIAL ETHERNET
More countermeasures
Pkt-2Pkt-1
Pkt-2
Wireless congruity[HotMobile 2007]
![Page 14: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/14.jpg)
Wireless “congruity”
• Very robust in environments with high entropy
• First metric :
• A is a trusted monitor, B is the user being authenticated
![Page 15: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/15.jpg)
Congruity implies spatial vicinity
Based on the “congruity”, it is possible to say
if X is near A, B or C
![Page 16: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/16.jpg)
Optimizations
• Considering packets in error is useful
• Thresholding on RSSI of correctly received packets can also be useful
• Summary:– Wireless congruity is a promising approach to
implement robust location authentication
![Page 17: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/17.jpg)
More countermeasures
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Trusted system can use MIMO to create NULLs in certain directions
• Not always easy to determine directions to NULL
• Has other pitfalls
Pkt-2Pkt-1
Pkt-3Pkt-4
NULL
NULL
![Page 18: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/18.jpg)
Adversarial models (4)
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Adversary can create NULLs at the victim as wellPkt-2Pkt-1
Pkt-3Pkt-4
NULL
NULL
![Page 19: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/19.jpg)
Adversarial models (5)
SERIAL ETHERNET SERIAL ETHERNET
SERIAL ETHERNET SERIAL ETHERNET
• Captured node in the system
Pkt-2Pkt-1
Pkt-3Pkt-4
![Page 20: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/20.jpg)
More adversarial scenarios
SERIAL ETHERNET
Bit-jamming attacks(protocol-agnostic)
SERIAL ETHERNET
SERIAL ETHERNET
SERIAL ETHERNET
RREQ X
RREP
RREQ XRREQ X
A
X
SERIAL ETHERNET
Protocol-aware attacks
TCP SYN
Random IP packet
Behavioral attacks
Processand discard
![Page 21: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/21.jpg)
Range of adversary capabilities
• Protocol knowledge
• Energy source
• Location diversity (what communication can it observe and affect)
• PHY layer capabilities – MIMO, AoA/DoA inference, antenna sensitivity, wormholes
• Computation capability
• Characteristics of the wireless topology itself
• Malice vs mal-function/selfish
• Collusions
• Tradeoff against performance, resilience, and other metrics
![Page 22: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/22.jpg)
Summary
• Most popular wireless communication mechanisms are relatively easy to attack
• Adversarial models not carefully considered when these protocols were designed
![Page 23: Adversary models in wireless security Suman Banerjee Department of Computer Sciences suman@cs.wisc.edu Wisconsin Wireless and NetworkinG Systems (WiNGS)](https://reader036.fdocuments.us/reader036/viewer/2022062805/5697bfa11a28abf838c95b5d/html5/thumbnails/23.jpg)
Thank you!Suman Banerjee
Email: [email protected]
http://www.cs.wisc.edu/~suman
Department of Computer SciencesUniversity of Wisconsin-Madison
Wisconsin Wireless and NetworkinG Systems (WiNGS) Laboratory