Security Issues Related to Cognitive Radios and Dynamic ... · 7/27/2010 timxb@colorado.edu 5 TCP...

Security Issues Related to

Cognitive Radios and

Dynamic Spectrum Access

Timothy X Brown

Interdisciplinary Telecommunications Program

Dept. of Electrical, Computer, and Energy Engineering

University of Colorado, Boulder

11th Annual International Symposium on Advanced Radio Technologies

Boulder, CO July 27 2010

CR/DSA Security

� Why are CR/DSA special?

� 50 ways to deny your service.

� How to analyze and harden CR systems.

7/27/2010 timxb@colorado.edu 2

Review

� Spectrum is important to UAS

� The spectrum is fully allocated

� Most spectrum is unused

� Cognitive Radio:

� Avoid Licensed users

� Communicate in “white spaces”

Maximum Amplitudes

Frequency (MHz)

Heavy UseHeavy Use

Sparse UseSparse Use

Heavy UseHeavy Use

Medium UseMedium Use

Similar to other

wireless devices

Similar to other

wireless devices

Vulnerable to

Denial of Service

Vulnerable to

Denial of Service

The Big Question

Can CR/DSA be made secure?

Confidentiality

Integrity

Availability

TCP Denial of Service

SYN-ACK

HTTP GET

TCP Start Up

Data Exchange

Denial of Service

0 2 4 6 8 10 12

Number Jammed

TCP-SYN-ACK

AODV-RREP

Brown, James, Sethi, “Jamming and Sensing of Encrypted Wireless Ad Hoc Networks,” in MobiHoc, 2006

<DL-MAP><DCD>

<UL-MAP><UCD>

<RNG-REQ>

<SBC-REQ>

<PKM-REQ>

<REG-REQ>

<RNG-RSP>

<SBC-RSP>

<PKM-RSP>

<REG-RSP>

Channel Scan and Synchronization

Ranging and

Capability Exchange

Key Exchange and Authorization

Registration

<DL-MAP><DCD>

<UL-MAP><UCD>

<RNG-REQ>

<RNG-RSP>

Ranging

Retries

<RNG-RSP>

lay in

DL-MAP, UL-MAP, DCD

and UCD expected at

regular intervals

BS SS BS SS

<DL-MAP><UL-MAP>

Throws client out

of network even

after association

<RNG-REQ>

Denial of Service

802.16 Network Entry and Initialization

Denial of Service

DSA/CR being pushed for

� Commercial

� Public Safety

� Military

Will not tolerate Denial of Service

Need to be careful with spectrum

� The spectrum is fully allocated

� Primary users fear

Harmful Interference

� “Mistakes” will bring down

regulatory hammer.

Maximum Amplitudes

Frequency (MHz)

Heavy UseHeavy Use

Sparse UseSparse Use

Heavy UseHeavy Use

Medium UseMedium Use

Whoops!

Review

Many DSA conceptsQ. Zhao, B. Sadler, A Survey of Dynamic Spectrum Access, IEEE Signal Processing, May 2007

• Unlicensed• Access etiquettes

• Fast buy and sell• Short-term Rental

• Find whitespaces• Avoid harming primary

Cognitive vs. Traditional Radios

Cognitive Engine

Geolocator

Sensor

Policy Input

OperatingSystem

A CR does more than a traditional radio

User Interaction Via

Hierarchical

AccessDynamic

Exclusive

Sharing

Cognitive vs. Traditional Radios

Cognitive Engine

Geolocator

Sensor

Policy Input

OperatingSystem

Not all functions used in all cognitive radiosWhat are the most vulnerable?

Why are CR/DSA different?

� More functions:

� more functions = more vulnerabilities

� Two DoS attacks:

� Directly: degrade one or more radios

� Indirectly: induce harmful interference

� Wide range of architectures

� What are best choices?

CR/DSA Security

CR Detect Range

Victim CR

Non-Cooperative Arch: Attacker Successfully “Denies” Access

Attacker Emulates Primary User

(Spoofs Sensor Input)

Distributed Cooperative Arch: Collated measurements make the attack less effective.

Cooperative CR

Network

Central

Authority

Active

Primary Users

Database

Centralized Cooperative Arch: Ineffective due to collated measurements in DB

Vulnerability Depends on Architecture

Non-Cooperative Cooperative

Centralized Distributed

CR Network Architectures

Example:

CR-specific DoS Attack

Example CR-specific DoS Attack

CR PP P

P PP P

PPP PCR

CR is Denied Access

Or Induced to Interfere

PP PCR

CR does not React to

Primary User Emulation

Overlay Underlay

Vulnerability Depends on Spectrum Access Methods

Overlay Underlay

Spectrum Access Methods

Geo-locate/

Access DB

Beacon/Control Signal

Detection/Sensing

Policy Database

PrimaryUsers

Database

TVDatabase

RadarDatabase

CellularDatabase

RF Environment

Prone to

Beacon/Control

Signal Spoof,

Prone to

Location/DB

Spoof, Jam,

Replay

Prone to

Sensing

Spoof, Jam,

Replay

Geo-locate/Access DB

Beacon/Control Signal

Detection/Sensing

Spectrum Awareness Methods

Vulnerability Depends on Spectrum Awareness Methods

Spectrum Awareness

Many Attacks and Many Cofigurations

Analysis of Multiple Attacks against

Multi-Dimensional CR Configurations

CR/DSA Security

Analysis Approach

� Combines

� likelihood/impact risk assessment (Barbeau/ETSI TS 102 165-1 V4.1.1)

� aviation risk analysis techniques (Hammer)

� Two Analyses

� Open: e.g. no encryption

� Hardened

Qualitative ranking

Organizes complex

interactions

Attack Analysis: Risk Assessment (1/3)

1. Attack Likelihood

Technical Problems to Attacker Likelihood Case Rank

Insolvable Impossible 0

Strong Low 1

Solvable Medium 2

None High 3

Rationale: Impact on VictimImpact Case Rank

Denial Attacks Induce Attacks

None None None 0

Perceptible but insignificant

degradation in CR

communication.

Perceptible but infrequent

interference to active

primary users

Significant degradation but still

operational CR

communication.

Perceptible frequent

interference to active

primary users

Medium 2

Non-operational CR

communication

Continuous interference to

active primary usersHigh 3

2. Attack Impact

3. Risk Level = f(Likelihood, Impact)

Risk Case Risk Mitigation Action

Minor No Countermeasures Required

Major Threat cannot be Ignored

Critical Mandates High Priority Handling

Attack Analysis: Risk Analysis using

Hammer Model Framework (1/3)

Attacker

Actions

Vulnerabilities

Attack

Outcome

Interaction

• Organizes complex interactions

• Based on FAA System Safety Hazard Analysis

Preconditions

Initiating Threat Contributory Threat Primary Threat

Attack Analysis: Risk Analysis using

Hammer Model Framework (2/3)

� Modeling tool to represent an attack scenario into a sequence

of initiating and contributory threats that result in one of more

primary threats.

� Primarily Used for Qualitative Scenario based Attack

Analysis.

Example: Primary User Emulation Attack

in Non-Cooperative Architecture (3/3)

Initiating

Threat

Attack

conditions

7/27/2010 timxb@colorado.edu 26July 2008Timothy X Brown, University of

ColoradoSlide 26

Open System Attack Analysis Summary

Assumes open

system with no

encryption on any

CR/DSA Security

System Hardening

Can we mitigate:

� Primary User Emulation Attack

� Policy Spoofing

� Beacon Replay Attack

� Location Denial of Service

� …

Example:

How to Get Policies

� Simplest mechanism: Someone tells you

� Who do you trust?

� What if DB is unavailable?

� How do you manage?

Policy DB

Policy

DB (?)

Policy Communication Model

� Example: Centralized Model

BSA BSB

Communication Network

Policy DB Policy DB Policy DB

Hierarchical Policy Authorization

Frequency

Location

FCC/NTIA

10MHzCONUS

N860CP

10MHzColorado

1MHzColorado

DENSecure certificate chain

ensures authority to assign spectrum

Ignore unauthorized

policies

GCSGround

Control

Station

How can we harden the DSA/CR?

� Digital Signatures (false messages)

� Encrypted control channels (coordinated attacks)

� Spread spectrum control channels (jamming)

� Trust/reputation (malicious messages/users)

� Cooperative analysis (primary user emulation)

� Cooperative policing (unauthorized spectrum access)

� Multi-mode geolocation (GPS jamming)

� Multi time-scale policies (policy/beacon jamming)

7/27/2010 timxb@colorado.edu 33July 2008Timothy X Brown, University of

ColoradoSlide 33

Hardened System Attack Analysis Summary

Assumes strongest

mitigation technique

identified

Risk Assessment Results

Overlay Underlay

Beacon Geo-locate

Database

Detection

Sensing

Beacon Geo-locate

Database

Detection

Sensing

Cooperative1, 2 0, 3 0, 2 0, 2 0, 1 0, 2

Centralized

Cooperative0, 3 0, 3 0, 3 0, 1 0, 1 0, 2

Distributed

Cooperative0, 3 0, 3 0, 2 0, 1 0, 1 0, 2

Least Vulnerable

Configurations

Configuration

used in

802.22

(Critical, Major)

Disaster

Cellular:

Handset

Disaster

Cellular:

Base-Station

Conclusion

� CRs are susceptible to attacks.

� CRs open new avenues of attack.

� A Formal Risk Analysis and Assessment Process can help guide the least vulnerable CR Design Paradigm

Depends on concept of operations

Policy-based CR

Spread spectrum

Are we done?

� Not quite:

� Software defined radios

� Malicious DSP software

� Hardware

� Separating CR from rest of device

� Limits: Intermods and Spurs

(Confidentiality, Integrity, Availability)

References

� Brown, T.X, Sethi, A., “Hammer Model Threat Assessment of Cognitive Radio Denial of Service Attacks,” Proc. Of Dynamic Spectrum Access Networks, Chicago, 2008.

� M. Barbeau, “WiMax/802.16 Threat Analysis” in Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks, Quebec, Canada, 2005.

� U. S. Department of Transportation, Federal Aviation Administration. (2005, Jan). System safety process steps. [Online]. Available: http://www.faa.gov/library/manuals/aviation/risk_management/media/ssprocdscrp.pdf (accessed Jun 1, 2007).

Security Issues Related to Cognitive Radios and Dynamic ... · 7/27/2010 timxb@colorado.edu 5 TCP...

Documents

Transcript of Security Issues Related to Cognitive Radios and Dynamic ... · 7/27/2010 timxb@colorado.edu 5 TCP...

Models of TCP · 2012-10-27 · Cumulative and Duplicate ACK Ack the lowest expected sequence number Use cumulative ACK given in-order packets Wait 500ms in practice Duplicate ACK

TCP ACK Control for Wireless Networks

18-1 Last time □ Fast retransmit ♦ 3 duplicate ACKs □ Flow control ♦ Receiver windows □ Connection management ♦ SYN/SYNACK/ACK, FIN/ACK, TCP states □ Congestion.

Information Network 1 Transport layer: TCP a TCP connection n3-way handshake nSYN, SYN-ACK, ACK nEnsure full-duplex communication 16bit source port 16bit destination port 32bit sequence

Web services in Twente - TU Braunschweig€¦ · Re s p o n s e R equ st R e s p o n s e Master Agent SYN S YN , A CK ACK ACK, REQUEST A CK A CK , E SPO N E ACK A CK ACK, REQUEST

ADVANCED PENETRATION TESTING - Cybrary · •Sudo –scanflags ACKPSH x.y.z.a (can add more) •TCP Flags: SYN, ACK, RST, PSH, URG, FIN • Nmap –sA (looks for firewall, filtered

Analysis and Review of TCP SYN Flood Attack on Network with Its …icnqt.com/wp-content/uploads/2016/12/V6I1-IJERTV6IS... · 2017-01-22 · Analysis and Review of TCP SYN Flood Attack

How we measure IPv6 - APNIC · IPv6 over IPv4. IPv6 “Performance” Measurement •We can look at the time between the receipt of the TCP SYN and the TCP ACK of the initial TCP

LCCN TCP SYN attack protection

Computer Networking TCP Connection Management, Error ... · PDF fileTCP State Diagram: Connection Setup CLOSED SYN SENT SYN RCVD ... Sender maintains a window of sequence numbers ...

DEF CON 27 Hacking Conference Presentation CON 27/DEF CON 27 presentations/DEF… · BPF • tcpdump -i any -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' (000) ldh [14] (001) jeq #0x800

security - Geoff Huston• network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning,

Review of TECHNISCHE Internet Protocol Suite UNIVERSITÄT ... · URG ACK PSH RST SYN FIN Advertised window size: number of bytes the receiver is willing to accept TCP is full duplex:

TCP Ack Storm DoS Attacks. - IFIP Open Digital Librarydl.ifip.org/db/conf/sec/sec2011/AbramovH11.pdf · TCP Ack Storm DoS Attacks Raz Abramov and Amir Herzberg Bar Ilan University

TCP/IP Security Attacksjain/cse571-09/ftp/l_03tcp.pdfData Offset Res Urg Ack Push Reset Syn Fin Window Checksum Urgent Pointer Options Padding Data. 3-4 Washington University in St.

Document Change History - AUTOSAR · Document Title Acceptance Test Specification ... IUT MUST send a SYN-ACK in response to a SYN ... 110 3.3.16 [ATS_TCP_00428] In ...

show s - sz - Cisco...Set connection advanced-options: UM_STATIC_TCP_MAP Retransmission drops: 0 TCP checksum drops : 0 Exceeded MSS drops : 0 SYN with data drops: 0 Invalid ACK drops

BLACK OPS OF TCP/IP...SYN travels across Internet SYN hits Bob‟s firewall, RST|ACK sent RST|ACK hits Alice‟s firewall, entry in state table torn down, RST|ACK readdressed to Alice

LCCN TCP SYN attack protection LCCN TCP SYN attack protection Submitting: Lena Lempert Ola Shor Ola Shor Eugenia Nimratz Eugenia Nimratz Instructor: Reuven.

BL ACK OPS OF TCP/IP