Wireless Network Security - Carnegie Mellon...
Transcript of Wireless Network Security - Carnegie Mellon...
![Page 1: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/1.jpg)
©2013 Patrick Tague
Wireless Network Security14-814 – Spring 2013
Patrick Tague
Class #15 – Cross-Layer Wireless Security
![Page 2: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/2.jpg)
©2013 Patrick Tague
Announcements• Reminder: project progress presentations will be
in class on March 21
• CMU-SV Career Fair– If you're looking for a job and interested in moving to
the SF Bay Area, consider coming out to our career fair at the Computer History Museum on March 14
– Currently >35 companies
![Page 3: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/3.jpg)
©2013 Patrick Tague
Agenda• Cross-layer attacks and defenses– Information sharing between protocol layers
– Offensive benefits via cross-layer reasoning
– Defensive benefits via cross-layer reasoning
![Page 4: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/4.jpg)
©2013 Patrick Tague
Layering• Networks are complex
• Layering simplifies network design
• Layered model:
Layer 3
Layer 2
Layer 1
Lower layer provides a service to higher layer
Higher layer doesn’t care how service is implemented:
transparency
![Page 5: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/5.jpg)
©2013 Patrick Tague
Layering in Wireless• Layering impacts
wireless protocols– Hiding physical layer
upper layers see →wired
– Cannot leverage advantages of wireless
• Layering is not appropriate for many wireless systems
Application
Transport
Network
Link
PhysicalWireless
Wired
![Page 6: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/6.jpg)
©2013 Patrick Tague
Cross-Layer Design• Cross-layer design– Sharing info helps
performance
– Transparency lost
– Design is more challenging
Application
Transport
Network
Link
Physical
![Page 7: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/7.jpg)
©2013 Patrick Tague
Cross-Layer (R)Evolution• Cross-layer evolution– Incorporate cross-layer information sharing into a
layered architecture– Layering properties are “minimally violated”– Protocols are still pretty widely usable
• Cross-layer revolution– Design new architecture from
the ground up– Protocols are highly customized,
narrowly usable
Application
Transport
Physical
Network
Link
![Page 8: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/8.jpg)
©2013 Patrick Tague
Cross-Layer Information Use• Most network protocols were designed in the
layered architecture– Leverage transparency for simple & efficient design– But...
• Attackers don't have to follow the transparency assumptions
• Can learn significantly more about network operations and behaviors by monitoring/probing/interacting with multiple layered protocols
• ==> Attackers using cross-layer information may be “smarter” than the networks under attack
![Page 9: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/9.jpg)
©2013 Patrick Tague
Cross-Layer Attacks• Cross-layer attacks– Sharing information
across protocol layers to improve attack performance
• For any definition of performance
– Planning and optimizing attacks may be much more challenging
Application
Transport
Network
Link
Physical
![Page 10: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/10.jpg)
©2013 Patrick Tague
Cross-Layer Attacks
Definition: a cross-layer attack is any malicious behavior that explicitly leverages information from one layered protocol to
influence or manipulate another
![Page 11: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/11.jpg)
©2013 Patrick Tague
Examples1. MAC-aware jamming attacks
2. MAC misbehavior targeting transport-layer performance
3. Application-aware packet dropping attacks
4.Traffic-aware collaborative jamming attacks
![Page 12: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/12.jpg)
©2013 Patrick Tague
MAC-Aware Jamming[Thuente & Acharya, MILCOM 2006]
• Protocol-aware jammers can optimize jamming actions based on protocol structure, e.g., MAC
![Page 13: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/13.jpg)
©2013 Patrick Tague
Jamming Attack Metrics• Attacks can be optimized in terms of:– Energy efficiency– Low probability of detection– Stealth– DoS strength– Behavior consistency with/near protocol standard– Strength against error correction algorithms– Strength against PHY techniques (FHSS, DHSS, CDMA)
![Page 14: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/14.jpg)
©2013 Patrick Tague
Jamming 802.11 Networks• Cross-layer jamming attacks– CTS corruption jamming
• Jam CTS control packets to deny access and cause low channel utilization, knowing that CTS follows RTS
– ACK corruption jamming• Jam ACK control packets to cause excess retransmission and
low utilization, knowing that ACK follows DATA
– DATA corruption jamming• Attempt to jam data packets to reduce throughput, knowing
that DATA follows CTS control packet or previous ACK
– DIFS wait jamming• Generate a short jamming pulse during DIFS time slots to
prevent protocol continuation, no utilization
![Page 15: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/15.jpg)
©2013 Patrick Tague
Colluding Attackers• Nodes can collude to
decrease probability of attack detection
• Energy required for 2 nodes is only slightly more than single node
![Page 16: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/16.jpg)
©2013 Patrick Tague
Stasis Trap[Bian et al., GLOBECOM 2006]
• Attacker uses MAC-layer misbehavior to target performance degradation in TCP flows– Based on MAC layer back-off manipulation, but only
periodically, say on the order of a TCP timeout
– Overall, Stasis Trap has little effect on MAC layer performance, so MAC misbehavior detection will not be able to identify the attack
– Attacker can target multiple flows to further reduce detectability
![Page 17: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/17.jpg)
©2013 Patrick Tague
Stasis Trap Against TCP Flows
![Page 18: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/18.jpg)
©2013 Patrick Tague
Simulation Results• Simulation results show that the three TCP
variants Reno, Sack, and Vegas are vulnerable to the Stasis Trap attack
![Page 19: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/19.jpg)
©2013 Patrick Tague
App-Aware Packet Dropping[Shao et al., SecureComm 2008]
• Attackers can use application-layer information to improve attack performance at lower layers– Attackers can drop the most valuable packets– Example: MPEG video
• I-frames are more valuable to MPEG decoding capability and video quality than B- or P- frames
• Cross-layer attackers can identify which packets contain I-frame data, and drop a small number of them
![Page 20: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/20.jpg)
©2013 Patrick Tague
Sensing I-Frame Packets• Router can observe
frame sizes and attempt to identify which packets belong to I-frames– Analyzing frame size
statistics reveals I-frame period N
– Additional check tell router whether each packet is from an I-frame with high probability
![Page 21: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/21.jpg)
©2013 Patrick Tague
I-Frame Packet DroppingApplication-aware attack degrades
video performance much more effectively compared to blind attack
Collaboration between multiple attackers yields further degradation
![Page 22: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/22.jpg)
©2013 Patrick Tague
Traffic-Aware Jamming[Tague et al., WiOpt 2008]
• Collaborating jammers with information about network flow topology and traffic rates can load-balance to control end-to-end flow
Dest dSource s
Jammer load-balancing
![Page 23: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/23.jpg)
©2013 Patrick Tague
What about cross-layer defenses?
![Page 24: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/24.jpg)
©2013 Patrick Tague
Layered Defenses forLayered Attacks
• Layered Attack vs. Layered Defense– This is what I consider “classical” network security
– Layer n protocols protect against layer n vulnerabilities
– Little/no protection from cascading attack impacts
![Page 25: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/25.jpg)
©2013 Patrick Tague
Layered Defenses forCross-Layer Attacks
• Cross-Layer Attack vs. Layered Defense– Advanced attacks developed against “classical”
network defenses
– Most likely, the attackers are going to win• At a cost, of course
![Page 26: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/26.jpg)
©2013 Patrick Tague
Cross-Layer Defenses forLayered Attacks
• Layered Attack vs. Cross-Layer Defense– “Classical” attacks applied to advanced networking
– If well designed, defenses should come out ahead• Again, at a cost
![Page 27: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/27.jpg)
©2013 Patrick Tague
Cross-Layer Defenses forCross-Layer Attacks
• Advanced Attack vs. Advanced Defense– Most interesting case where there isn't much work yet
– How “advanced” do defenses need to be to keep up with the “advanced” attacks?
• Hard question...
– Can we come up with a general framework to allow a defender to learn and adapt to what it sees?
• Attacker can do the same thing…
• …now we have a game
![Page 28: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/28.jpg)
©2013 Patrick Tague
ComparisonLayered Attack Cross-Layer Attack
Attack elements can target specific protocol performance
Attacks are easy to plan, but probably sub-optimal
Attacker may be “smarter” than the network under attack
Attack has fairly low cost to optimize, but likely to succeed
Detection of attacks is more likely due to cross-layer impacts
Defense is more costly, but likely to succeed
More difficult to characterize, optimize, predict, plan, …
Attack and defense are more costly
Red vs. Blue games
Laye
red
Defe
nse
Cro
ss-L
ayer
Def
ense
![Page 29: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/29.jpg)
©2013 Patrick Tague
Jamming-Aware Traffic Flow[Tague et al., ToN 2011]
• Feedback from relay nodes allows source to dynamically adjust traffic allocation over multiple fixed routing paths
Dest dSource s
Relay loss rate to source
![Page 30: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/30.jpg)
©2013 Patrick Tague
Summary• Attackers and defenders can use cross-layer
information sharing to improve performance– MAC-aware jamming attacks in 802.11
• [Thuente & Acharya, MILCOM 2006]
– Stasis Trap: MAC misbehavior targeting TCP flows• [Bian et al., GLOBECOM 2006]
– Packet dropping targeting MPEG I-frames• [Shao et al., SecureComm 2008]
– Traffic-aware jamming attacks• [Tague et al., WiOpt 2008]
– Jamming-aware traffic allocation• [Tague et al., ToN 2011]
![Page 31: Wireless Network Security - Carnegie Mellon Universitymews.sv.cmu.edu/teaching/14814/s13/files/14814s13_15.pdf · 2013. 3. 7. · Wireless Network Security 14-814 – Spring 2013](https://reader034.fdocuments.us/reader034/viewer/2022052005/6018a5c158139b6f364c5bf3/html5/thumbnails/31.jpg)
©2013 Patrick Tague
Next Time• Mar 19: Trust and reputation
• Mar 21: Project progress presentations
• Enjoy your Spring Break!