. ETWORKAND3ECURITY2ESEARCH#ENTER …pdm12/cse544/slides/cse544-telco... · 2007-04-26 · SDCCH...

CSE 545 - Professor Patrick McDaniel Page

Systems Security: Why is Measurement Important?

Patrick TraynorCSE 544 - Advanced Systems Security

1/23/07

1


Scotland vs Security

2


The Importance of Measurement

• Measurement is a critical step in the science of systems security.

• It helps us understand the true nature of a system - how it looks, feels and operates.

‣ While mathematical modeling is important, our models typically fail to describe subtle interactions between components.

• Measurement is about the difference between how a bowling ball and a feather fall from a great height in a lab and in the real world...

3


Engineering vs Science

• What is the difference between engineering and science?

• Why then is measurement a science and not simply part of engineering?

• Measurement is at the very core of what we as systems people do!

‣ If you have not done a performance analysis,you should consider one as part of yoursemester project...

4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Restoring State

5

• Traffic channels (TCH)‣ used to deliver voice traffic to cell phones (yak yak ...)

• Control Channel (CCH)‣ used for signaling between base station and phones

‣ used to deliver SMS messages• not originally designed for SMS C

CH

TCH


The Vulnerability

6

• Once you fill the SDCCH channels with SMS traffic, call setup is blocked

• The goal of an adversary is therefore to fill SDCCHs with SMS traffic.

SMS

Voice

SMS SMS SMS SMS SMS SMS SMS

X


MessageGeneration

RACH

Voice

SMS

Attack SMS

Service QueueManager

Service QueueModule

SDCCH TCH

Call Completionand

SMS Delivery

Reporting Module

Modeling• To better understand these attacks and

countermeasures, we use two techniques: queueing and simulation.

• We implemented protocols/channels as specified in 3GPP documents.

• We use parameters from publicly available documents: 3GPP, FCC, NCS.

7


Why Simulation?

• Why are the calculations in the first paper not enough to characterize this attack?

• Why is simulation the right tool for this job?

• How can we be sure that the results we get are meaningful?

• What other techniques could you use in your class projects?

8


Attack Profile

• Examined call blocking under uniform, Poisson and bursty arrival patterns.

• Because of variability in the network, we use the Poisson model for our remaining experiments.

• Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a cable modem.

9

0

0.2

0.4

0.6

0.8

1

3 4 5 6 7 8 9

Av

erag

e P

ercen

t B

lock

ing

Du

rin

g A

ttack

SMS Attack Messages per Second

Uniform (SDCCH)

Poisson (SDCCH)

Burst 12 (SDCCH)

0

0.2

0.4

0.6

0.8

1

1.2

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH Utilization

TCH Utilization


Current Countermeasures

• SPAM filtering, Source IP-address filtering and Rate limitation are edge solutions.

• There are many portals to these networks - email, IM, bulk senders, infected/compromised mobile devices, other provider networks, etc.

• Given that the solutions offer no protection once messages are inside the system, we look to other methods to defend against attacks.

10


Queue Management

• Simply adding a queue in front of the SDCCHs is not a sufficient means of preventing this attack.

• We look to queue management techniques that have been successful in data networks.

• We segment traffic into voice and SMS streams, and attempt to deliver the maximum amount of legitimate trafficpossible.

11


Weighted Fair Queueing

• Traffic can be classified, split into separate queues and serviced at equal rates.

• Packets belonging to misbehaving flows are therefore unable to affect other traffic.

• To ensure that voice calls are not crowded out by targeted SMS attacks, we give 2:1 priority to calls over text messages.

12

2

4

2

Finished

FinishedFinished


WFQ - Overview

13

4

2

Voice

SMS

2Finished

Finished

Finished


WFQ - Overview

13

4

2

2

Voice

SMS

2

44

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

2

44

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

44

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

4

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

4

2

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

4

2Finished

Finished

Finished


WFQ - Overview

13

4

2

Voice

SMS

2Finished

Finished

Finished


WFQ - Results

• Under WFQ, voice calls never block.

• 72% of all SMS messages are blocked.

• We throw out huge numbers of both legitimate AND malicious packets.

14

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percent

of A

ttem

pts

Blo

cked

Time (seconds)

Service Queue (SMS)

Service Queue (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH

TCH

Service Queue


Random Early Detection

• RED has traditionally been used to maintain TCP window size, but it also helps prevent queue lockout.

• We again separate traffic into voice and SMS, but further subdivide SMS into high, medium and low origin priorities.

• Based on these priorities, we evict newly arriving packets based on queue status.

15

closer to a moving average and not capacity, space typically exists

to accommodate sudden bursts of traffic. However, one of the chief

difficulties with traditional RED is that it eliminates the ability of

a provider to offer quality of service (QoS) guarantees because all

traffic entering a queue is dropped with equal probability. Weighted

Random Early Detection (WRED) solves this problem by basing

the probability a given incoming message is dropped on an attribute

such as its contents, source or destination. Arriving messages not

meeting some priority are therefore subject to increased probabil-

ity of drop. The dropping probability for each class of message is

tuned by setting tpriority,min and tpriority,max for each class.

We consider the use of authentication as a means of creating

messaging priority classes. For example, during a crisis, messages

injected to a network from the Internet by an authenticated mu-

nicipality or from emergency personnel could receive priority over

all other text messages. A number of municipalities already use

such systems for emergency [32] and traffic updates [36]. Mes-

sages from authenticated users within the network itself receive

secondary priority. Unauthenticated messages originating from the

Internet are delivered with the lowest priority. Such a system would

allow the informative messages (i.e. evacuation plans, additional

warnings, etc) to be quickly distributed amongst the population.

The remaining messages would then be delivered at ratios corre-

sponding to their priority level. We assume that packet priority

marking occurs at the SMSCs such that additional computational

burden is not placed on base stations.

Here, we illustrate how WRED can provide differentiated ser-

vice to different classes of SMS traffic using the attack scenario

described in Tables 1 and 2. We maintain separate queues, which

are served in a round robin fashion, for voice requests and SMS

requests. We apply WRED to the SMS queue. In this example we

assume legitimate text messages arrive at a sector with an average

rate of 0.7 msgs/sec with the following distribution: 10% high

priority, 80% medium priority, and 10% low priority. The attack

generates an additional 9 msgs/sec.To accommodate sudden bursts of high priority SMS traffic, we

choose an SMS queue size of 12. Because we desire low latency

delivery of high priority messages, we target an average queue oc-

cupancy Qavg = 3.To meet this objective, we must set tlow,min and tlow,max. For

M/M/n systems with a finite queue of size m, the number of mes-sages in the queue, NQ, is:

NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)

Setting NQ = 3, we derive a target load !target = 0.855.!target is the utilization desired at the SDCCHs. Thus, the packet

dropping caused byWREDmust reduce the actual utilization, !actual

or "SMS/(µSMS · n), caused by the heavy offered load during anattack, to !target. Therefore:

!target = !actual(1 ! Pdrop) (5)

where Pdrop is the overall dropping probability of WRED. For traf-

fic with average arrival rate of "SMS = 9.7 msgs/sec, !actual =3.23. Solving for Pdrop,

Pdrop = 1 !!target

!actual= 0.736 (6)

Pdrop can be calculated from the dropping probabilities of theindividual classes of messages by ("low = 9.07):

Pdrop =Pdrop,high · !high + Pdrop,med · !med + Pdrop,low · !low

!SMS(7)

Because we desire to deliver all messages of high and medium

priority, we set Pdrop,high = Pdrop,med = 0. Using Equation 7,we find Pdrop,low = 0.787. This value is then used in conjunctionwith Equation 1 to determine tlow,min and tlow,max.

The desired average queue occupancy, Qavg, is 3. From equa-

tion 1, tlow,min must be an integer less than the average queue

occupancy. This leaves three possible values for tlow,min: 0, 1,and 2. The best fit is found when tlow,min = 0 and tlow,max = 4,resulting in 75% dropping of low priority traffic.

Using this method it is possible to set thresholds to meet delivery

targets. Of course, depending on the intensity of an attack, it may

not be possible to meet desired targets according to Equation 7, i.e.,

it may not be possible to limit blocking to only low priority traffic.

While the method outlined here provides just an approximate solu-

tion, given the quantization error in setting tlow,min and tlow,max

(they must be integers), we believe the method is sufficient. We

provide more insight into the performance of WRED in Section 5.

4.3 Resource ProvisioningNone of the above methods deal with the system bottleneck di-

rectly; rather, they strive to affect traffic before it reaches the air

interface. An alternative strategy of addressing targeted SMS at-

tacks instead focuses on the reallocation of the available messaging

bandwidth. We therefore investigate a variety of techniques that

modify the way in which the air interface is used.

To analyze these techniques we resort to simple Erlang-B queue-

ing analysis. We present a brief background here. For more details

see Schwartz [35]. In a system with n servers, and an offered loadin Erlangs of A, the probability that an arriving request is blockedbecause all servers are occupied is given by:

PB =An

n!Pl=n!1

l=0

All!

(8)

The load in Erlangs is the same as the utilization, !, in a queueingsystem; it is simply the offered load multiplied by the service time

of the resource. The expected occupancy of the servers is given by:

E(n) = !(1 ! PB) (9)

4.3.1 Strict Resource Provisioning

Under normal conditions, the resources for service setup and de-

livery are over-provisioned. At a rate of 50, 000 calls/hour in ourbaseline scenario, for example, the calculated average utilization

of SDCCHs per sector is approximately 2%. Given this observa-

tion, if a subset of the total SDCCHs can be used only by voice

calls, blocking due to targeted SMS attacks can be significantly

mitigated. Our first air interface provisioning technique, Strict Re-

source Provisoning (SRP), attempts to address this contention by

allowing text messages to occupy only a subset of the total num-

ber of SDCCHs in a sector. Requests for incoming voice calls can

compete for the entire set of SDCCHs, including the subset used

for SMS. In order to determine appropriate parameters for systems

using SRP, we apply Equations 8 and 9.








































NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)







Pdrop = 1 !!target

!actual= 0.736 (6)



!SMS(7)























PB =An

n!Pl=n!1

l=0

All!

(8)



E(n) = !(1 ! PB) (9)





















































NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)







Pdrop = 1 !!target

!actual= 0.736 (6)



!SMS(7)























PB =An

n!Pl=n!1

l=0

All!

(8)



E(n) = !(1 ! PB) (9)















WRED - Overview

16

LowMedHigh


WRED - Results

• Messages of high and medium-priority experience no blocking, but increased delay.

• An average of 77% of low-priority messages are blocked.

• This is a nice solution, assuming meaningful partitioning of flows.

17

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Perc

ent o

f Atte

mpt

s Blo

cked

Time (seconds)

Service Queue (SMS - Priority 1)Service Queue (SMS - Priority 2)Service Queue (SMS - Priority 3)


Resource Provisioning• The previous techniques do not address the

bottleneck directly.

• Instead, we look to reallocate the messaging bandwidth itself.

‣ Changing channel coding or definition is not feasible in the short term.

‣ Our techniques use many mechanisms already in place.

18


Strict Resource Provisioning

• Under SRP, incoming SMS messages compete for a subset of the total SDCCHs.

• We can explore the expected blocking behavior using standard Erlang-B blocking analysis:

• For an offered load of 50,000 calls/hour, SDCCH utilization is only 2%.

19








































NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)







Pdrop = 1 !!target

!actual= 0.736 (6)



!SMS(7)























PB =An

n!Pl=n!1

l=0

All!

(8)



E(n) = !(1 ! PB) (9)





















































NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)







Pdrop = 1 !!target

!actual= 0.736 (6)



!SMS(7)























PB =An

n!Pl=n!1

l=0

All!

(8)



E(n) = !(1 ! PB) (9)














SDCCHs


SRP - Results

• By restricting SMS messages to 6 of the 12 SDCCHs, we eliminate voice call blocking.

• 84% of text messages are blocked at the SDCCH.

• The SDCCHs used for voice only achieve a 6.3% utilization - a potential waste of resources.

20

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percen

t o

f A

ttem

pts

Blo

ck

ed

Time (seconds)

SDCCH (SMS)

SDCCH (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH

TCH


Dynamic Resource Provisioning

• Temporarily reclaim unused TCHs as SDCCHs.

• A similar mechanism is already in use for converting TCHs between voice and data channels.

• By simply adding SDCCHs, we quickly increase the probability that at least once is available.

21

CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH

TCH TCH TCH TCH TCH TCH TCH TCH



TRX 1

TRX 2

TRX 3

TRX 4

0 1 2 3 4 5 6 7






21





TRX 1

TRX 2

TRX 3

TRX 4

0 1 2 3 4 5 6 7

SDCCH/8






21





TRX 1

TRX 2

TRX 3

TRX 4

0 1 2 3 4 5 6 7

SDCCH/8 SDCCH/8


DRP - Results

• We can add up to 36 additional SDCCHs (-4 TCHs) before call blocking increases over 1%.

• Like all dynamic allocation mechanisms, DRP may be subject to thrashing and should therefore be carefully used.

22

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percen

t o

f A

ttem

pts

Blo

ck

ed

Time (seconds)

SDCCH (SMS)

SDCCH (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH

TCH


SMS

Direct Channel Allocation

• Ultimately, removing text messaging and voice calls from shared channels is the only solution.

• In the short term, it is possible to have incoming calls use a TCH for both setup and the call itself.

• DCA therefore removes the bottleneck responsible for this vulnerability.

23

SDCCHs

TCH


SMSVoice

Direct Channel Allocation

• Ultimately, removing text messaging and voice calls from shared channels is the only solution.

• In the short term, it is possible to have incoming calls use a TCH for both setup and the call itself.

• DCA therefore removes the bottleneck responsible for this vulnerability.

23

SDCCHs

TCH


DCA - Results

• As expected, the only blocking observed occurs for text messages.

• Unfortunately, DCA introduces a new vulnerability as it allows anyone to hold a traffic channel before authenticating.

24

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percen

t o

f A

ttem

pts

Blo

ck

ed

Time (seconds)

SDCCH (SMS)

SDCCH (Voice)

TCH (Voice)


Combined Mechanisms

• Combining a number of the mechanisms can also be beneficial.

• The combination of DRP and WFQ allows for resources to be allocated for “good” messages.

25

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Perc

ent o

f Atte

mpt

s Blo

cked

Time (seconds)

Service Queue (SMS - Priority 1)Service Queue (SMS - Priority 2)Service Queue (SMS - Priority 3)


State of the Union

• How was this work received by the community?

• What new projects have followed this body of work?

‣ New virus and worm defense techniques

‣ End device protection and mediation

‣ New attacks

‣ More...?

• We examine one of these new works tounderstand the “state of the union”.

26


Stealthily Exhaust MMS• The premise behind this work is that an Internet-based

adversary can drain the battery of your phone without your knowledge.

• By sending an initial MMS message, the targeted phone automatically opens a connection with a malicious server.

• The adversary then drains your battery by sending periodic messages, thereby keeping your phone in an energy-inefficient state.

27


What do you think?

• Given our discussions throughout this lecture, what are your thoughts on this paper?

28


Critique • The original SMS attack had a power drain attack as a footnote.

‣ The novelty here is that is only that the attack is stealthy.

• The effectiveness of the attack is questionable.

‣ 7 hours to drain a battery? How long are you realistically between chargers?

• Measurement and technique are poorly explained.

‣ Is there enough information here to recreate their experiments?

• There are serious grammatical errors throughout...

29


Many miles away...• Measurement quantizes observation. It forms the

basis of science.

‣ It’s the difference between a Loch Ness Monster and a Loch Ness Minnow...

• There are lots of things to be measured in a system. Part of our job is figuring out what is interesting.

• Techniques are varied, numerous and powerful. The most important thing is that you learn to use them properly!

30


Questions

Patrick Traynor

[email protected]

www.cse.psu.edu/~traynor

www.patricktraynor.org

31

. ETWORKAND3ECURITY2ESEARCH#ENTER …pdm12/cse544/slides/cse544-telco... · 2007-04-26 · SDCCH...

Documents

Transcript of . ETWORKAND3ECURITY2ESEARCH#ENTER …pdm12/cse544/slides/cse544-telco... · 2007-04-26 · SDCCH...