Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van

Randwyk, Douglas Sicker

What would you like to

identify today?

Be Pessimistic!

• Today, we take a glass is half-empty view of device driver security.

• We present a fingerprinting technique for 802.11 device drivers under the premise that wireless device drivers are and will remain vulnerable.

Half-empty

Outline

I. MotivationII. 802.11 and all that jazzIII. Fingerprinting ApproachIV. EvaluationV. Preventative MeasuresVI. Wrap up

Motivation

• 802.11 is everywhere.– Coffee shops, airports, homes, businesses, here!– Full-city coverage (San Francisco, London, Chicago)

• Driver-specific exploits are an emerging threat.– Drivers are complex, numerous, buggy, and usually

NOT easy to externally interact with.– Wireless drivers, however, are externally accessible.– 802.11 driver exploits already exist.– New APIs for 802.11 packet generation will make

writing exploits easier.

802.11 Basics

Station: Device with wireless capabilities (laptop, PDA, etc.)

Access Point: Device that acts as a communication hub for wireless devices connected to a wireless LAN

Wireless Frame: Unit of data at data-link layer

Fingerprinting

• What is fingerprinting?– Process by which a target object is identified

by its externally observable characteristics

Target Device

What would you like to

identify today?

Fingerprinter

Device Driver Fingerprinting

• Utility of fingerprinting– Intrusion detection: detecting MAC address

spoofing – Network forensics: narrow or verify source of

network event or security incident– Reconnaissance: targeted attacks

• Why not use the MAC Address?– MAC address is one way to identify a NIC

manufacturer– Easy to change (spoof) to another legitimate,

copied, or fictitious MAC

802.11 Active Scanning• A station sends probe request frames when it needs to

discover access points in a wireless network. This process is known as active scanning.

• The IEEE 802.11 standard specifies active scanning as…

For every channel:Broadcast probe request frame;Start channel timer, t;If t reaches MinChannelTime AND current channel is IDLE:

Scan to the next channel;Else

Wait until t reaches MaxChannelTime;Process probe response frames from current channel;Scan to the next channel;

• The remaining details of this process implementation are determined by wireless driver authors…

Intuition

• As you may have guessed, we distinguish drivers based on unique active scanning!

D-Link driverD-Link DWL-G520 PCI Wireless NIC

Cisco driverAironet AIR-CB21AG-A-K9 PCI Wireless NIC

Fingerprinting Approach

REQREQ

REQ

Driver signature

madwifi

engeniushostapcisco

Outline of Method

Supervised Bayesian Classification:1. Create tagged signatures (Bayesian

Models)• 17 different device drivers• 12 hour traffic traces

2. Capture traffic trace for an unidentified driver

3. Compare how close the unidentified trace is to every tagged signature and identify based on nearest match

Signature Generation• Driver signatures are based

on the delta arrival time between probe requests.

• Signatures are obtained via binning with an empirically tuned and fixed bin width.1. Record the percentage of probe

requests placed in each bin2. Record the average, for each

bin, of all actual (non-rounded) delta arrival time values in that bin

3. Generate a vector initialized with these parameters as the signature for that driver

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.06 1.19 1.27 2.5 3.81

Windows Engenius driver signature.

Identification

• Calculate how close the trace is to every known driver signature using distance metric

• Trace is identified as having the driver with the signature that is the closest according to our metric

Factors that Effect Probing

• Association status– Associated to an access

point– Unassociated

• Driver management– Managed by Windows– Managed by NIC vendor

drivers

Experimental Setup

• The fingerprinter: Pentium 4 running Linux with a Cisco Aironet a/b/g wireless card

• The victims: 17 different wireless drivers, including drivers from Apple, Cisco, D-link, Intel, Linksys, Madwifi, Netgear, Proxim, and SMC

• The signature database: 31 unique driver signatures with tags and signature of the format:driver assoc-status manager : (bin, % in bin, mean)

Experimental Setup

Test set #1, Master Signature Database (Lab):– No background traffic– No obstructions

Test set #2 (Home network):– No background traffic– Wall between fingerprinter and victim

Test set #3 (Coffee house):– Background wireless traffic– Miscellaneous objects fingerprinter and victim

Results

Test

Set

Successful

Total Accuracy

1 55 57 96%

2 48 57 84%

3 44 57 77%N

um

ber

of

Dri

vers

Accuracy of Driver Percentage

0123456789

10

100 99-90 89-80 79-70 69-60

Results

Trace Data (Minutes)Fin

gerp

rin

tin

g A

ccu

racy

(Perc

en

tag

e)

Limitations

• Cannot distinguish between different driver versions

• Accuracy is sensitive to network conditions

Preventing Fingerprinting

• Standardize IEEE 802.11 active scanning– Power constrained devices will want to probe less

often then devices worried about quick handoffs

• Support configurable active scanning– Off by default?– Can we expect users to understand when to

appropriately enable or disable active scanning?

• Inject probe requests to disguise driver behavior– Wastes power and bandwidth– Difficult to ensure that the noise is masking the

driver

Preventing Fingerprinting

• Modify driver code– Extremely difficult with closed source

drivers– Non-trivial to modify even in open source

drivers

• Patch existing drivers– Best effort to mitigate driver exploits– A usable and efficient patching process is

needed to fix existing and future vulnerabilities discovered in device drivers

Conclusions

• Wireless devices are a target of attack• Unique implementations of active

scanning can be used to fingerprint a wireless driver

• According to our results, this method of fingerprinting is highly accurate and efficient

• Now that more drivers are externally accessible, a larger focus needs to be placed on their software security

Questions?