automated analysis of wireless communication protocols
play

Automated Analysis of Wireless Communication Protocols via SDR - PowerPoint PPT Presentation

Oct 02, 2022 •347 likes •583 views

Chair for Network Architectures and Services Technische Universit at M unchen Automated Analysis of Wireless Communication Protocols via SDR Bachelor thesis colloquium Roman Leuprecht November 4, 2015 Chair for Network Architectures and

  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Automated Analysis of Wireless Communication Protocols via SDR Bachelor thesis colloquium Roman Leuprecht November 4, 2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Recap: SDR GNU Radio & The HackRF Hardware Concept Motivation Challenges Implementation ADS-B DCF-77 GSM Implementation Details Implementation Result Proposal of a new framework Conclusion Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Recap: SDR SDR is the technology of using software instead of integrated circuits in radio modules Bus A/D Amplifier Antenna Host System Conv. This enables easier and faster research and development. In this thesis we used: ◮ HackRF as transceiver hardware ◮ GNU Radio as SDR framework Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation ◮ many wireless systems are based on proprietary protocols ◮ e.g. car remotes, wireless lock systems ◮ analysis needed to discover flaws & weaknesses ◮ private and military security concerns ◮ manual analysis is time-consuming but automation may help ◮ pattern recognition ◮ maximum likelihood calculations ◮ frequency deviation and progression analysis Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Concept At first the concept was to develop a framework for completely automated communication analysis featuring: ◮ automated recognition of messages ◮ search for patterns and structures ◮ reliable identification of known protocols During the course of the thesis challenges were discovered and the concept was modified: ◮ analyze challenges & research on them in-depth ◮ design an unified approach for wireless analysis ◮ implement a first testing framework Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Challenges: Overview Digital Baseband Network Channel Modulation forming Payload Packet Code reconstruction recognition estimation Digital Network Channel Baseband Demod- Payload Packet Code Detection ulation Figure: Flowgraph of digital information [1] with the challenges indicated Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Challenges: Details The following challenges and their respective approaches to solve the problems were found: ◮ modulation recognition ◮ neuronal networks for detection ( ∼ 90% success) [2] ◮ channel code estimation ◮ linear codes: Maximum likelihood based [3] ◮ convolutional Codes: Matrix rank approach [4] ◮ packet reconstruction ◮ state machine based (ReverX, Roleplayer) [5, 6] ◮ token cluster based (Discoverer) [7] ◮ hybrid approach (ProtoX) [8] Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 7

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: ADS-B ADS-B is the official standard for broadcasting airborne information and anti collision data [9]: ◮ distributes: ◮ height & speed ◮ coordinates & direction ◮ flight number & identification ◮ 1090MHz, pulse position modulation, 1Mbps ◮ two GNU Radio implementations, none stand-alone Challenges for the implementation further were: ◮ filter design was complicated, over-sampling and then down-sampling first tried (4MSamples) ◮ dc-blocker with thresholds produces high/low signals ◮ PPM modulation not implemented in GNU Radio Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 8

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: GR-Filters vs DC Blocker This plot shows the effect of different DC-spike avoidance techniques implemented in GNU Radio: Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 9

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: DCF-77 DCF-77 broadcasts the official German time and provides a radio time service for central Europe [10, 11] ◮ 77.5KHz , proprietary modulation ◮ 1Bit/s, Frames aligned to minutes Since no working implementation at all was found, no test could be developed. Nevertheless, DCF-77 is a good example how reduced radio stacks can operate. Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 10

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: The DCF-77 customized radio stack Bits 1–14 Bits 15–20 Bits 21–28 Bits 29–35 Bits 36–58 Bits 59–60 Various Time Information Minutes Hours Date Pause – SFD Bits 36–41 Bits 42–44 Bits 58 Bits 45–49 Bits 50–57 Calendar Day Week Day Parity Month Year Figure: DCF77 payload [10] and modulation [12] Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 11

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Global System for Mobile Communications GSM is the worldwide standard for mobile communication that was also adapted to various uses, e.g. railways (GSM-R)[13] ◮ 850MHz, 900MHz, 1800MHz & 1900MHz most common bands (14 in total ranging from 380MHz to 1900MHz) ◮ minimum shift keying modulation with freq. multiplex ◮ operates on 1024 Channels (each 200kHz wide, 75% in main quad bands) For GSM the gr-gsm 1 library yielded a usable implementation that provides: ◮ channel model ◮ burst aggregation ◮ packet detection 1 https://github.com/ptrkrysik/gr-gsm Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 12

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Details The implementation faced certain problems induced by the used software ◮ GNU Radio Bug: Message Passing in Python dead-locks DSP flow at the end ◮ C++ blocks should not pass data into the surrounding Python program (may have side effects) ◮ no components to extract data for sequential tests These could be solved by using the following techniques: ◮ threaded design allows tests to run despite the deadlock ◮ data is submitted via local loop-back and UDP protocol ◮ relies on reliability of the implementation of local loopback sockets in the operating system (Linux was used) ◮ UDP approach allows interfacing with third-party programs Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 13

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Threading Start Start, Read Options threads UDP Configure Listen DSP DATA Test Executing Data DSP Join End threads Figure: The threading architecture of the Python application Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 14

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Output A sample test output written by the implemented GSM test analyzing the channel #85(952MHz) over about 20 seconds in Munich, Germany: [RESULT] GSM Discovered ( 1151 frames ) [RESULT] GSM CCCH Packet encountered 118 times ( 10.3 % ) [RESULT] GSM RACH Packet encountered 1033 times ( 89.7 % ) ◮ CCCH: Common Control Channel (GSM control handshakes and data exchange) ◮ RACH: Random Access Channel (for direct GSM system access of clients) Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 15

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Wireshark on local loopback (lo) The extracted data can also be viewed in third party applications like Wireshark Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 16

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Proposal of a new framework Until now most papers used different implementations for their approach. This was a problem for the practical and theoretical work. A unified approach can speed up new research and development: ◮ Modules ◮ represent OSI layers ◮ contain algorithms ◮ cross layer inferfacing ◮ Data Stacks ◮ hold all data of one analysis ◮ cross layer data access ◮ independent of the implementation Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 17

Recommend

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate Ching-Ju Lin ( ) 1 Reference 1. A Technical Tutorial on the IEEE 802.11 Protocol By Pablo Brenner online:

541 views • 42 slides
Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols

Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols

Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols Telecomunicazioni Undergraduate course in Electrical Engineering University of Rome La Sapienza Rome, Italy 2007-2008 Classification of of wireless

597 views • 35 slides
When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B.

When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B.

When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B. Mandayam (joint work with Tianming Li) Motivation: Engineered System Design Current radio technologies and associated communication protocols are

665 views • 28 slides
Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel

Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel

Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel Access in Wireless LAN (SIGCOMM10) Instructor: Kate Ching-Ju Lin ( ) 1 Physical-Layer Data Rate PHY layer data rate in WLANs is

791 views • 21 slides
Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California Noise Protocol Framework: What is it? A

586 views • 23 slides
An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication

An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication

An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication standards Computer Networks Simple reference model Frequencies and regulations Wireless communication technologies Signal propagation

645 views • 45 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between processes in a distributed system Exploring the Middleware Layers Applications, services RMI and RPC and Request Reply Protocol Marshalling and

883 views • 64 slides
TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication Ralph Holz School of Information Technologies Faculty of Engineering & Information Technologies Team This is joint work with Johanna

678 views • 28 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu

Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu

Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu University / ISIT ETRI-ISIT 1st joint seminar 1 Contents S e c u r i t y a n a l y s i s o n I E E E 8 0 2 . 1 1 i

331 views • 20 slides
Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

WNP-MPR-Fundaments 1 Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-Fundaments 2 Topics Scheduled for Today Introduction to Wireless Networks and Protocols

1.16k views • 97 slides
Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication

Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication

Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication Marketpotential of the many and varying solutions Koen Mioulet Overview: 1.Ulwimo, introduction 2.Indoor wireless market dynamics 3.Indoor wireless & DAS

567 views • 28 slides
Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and

Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and

Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and Kristin Yvonne Rozier Iowa State University Laboratory for + Temporal Logic Temporal Logic October 5, 2016 Motivation The Airbus A380 has around

323 views • 8 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and

Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and

Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline Data link fundamentals And what changes in

743 views • 11 slides
Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on Problems Data transfer DHCP Encapsula$on Security IPv6 Adapted from J. Schiller,

441 views • 29 slides
Wireless Communication Fundamentals David Holmer dholmer@jhu.edu Physical Properties of

Wireless Communication Fundamentals David Holmer dholmer@jhu.edu Physical Properties of

Wireless Communication Fundamentals David Holmer dholmer@jhu.edu Physical Properties of Wireless Makes wireless network different from wired networks Should be taken into account by all layers Wireless = Waves Electromagnetic

148 views • 11 slides
Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad Hoc MAC protocols ad Hoc routing DSR AODV 2 Wireless Networks Autonomous systems of mobile hosts connected by wireless links Nodes are

1.3k views • 102 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Principles and Protocols for Power Control in Wireless Ad Hoc Networks Vikas Kawadia and P. R.

Principles and Protocols for Power Control in Wireless Ad Hoc Networks Vikas Kawadia and P. R.

IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS: SPECIAL ISSUES ON WIRELESS AD HOC NETWORKS 1 Principles and Protocols for Power Control in Wireless Ad Hoc Networks Vikas Kawadia and P. R. Kumar Department of Electrical and Computer

313 views • 13 slides
Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

ENSC 835: COMMUNICATION NETWORKS ENSC 835: COMMUNICATION NETWORKS FINAL PROJECT PRESENTATIONS FINAL PROJECT PRESENTATIONS Spring 2011 Spring 2011 Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

627 views • 26 slides
Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC

Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC

Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC protocols, CSMA Mythili Vutukuru CS 653 Spring 2014 Jan 23, Thursday Wireless Link Layer Link layer (layer 2) is above physical layer Link layer

720 views • 12 slides
An Introduction to Wireless Technologies Part 1 F. Ricci 2010/2011 Content Wireless

An Introduction to Wireless Technologies Part 1 F. Ricci 2010/2011 Content Wireless

An Introduction to Wireless Technologies Part 1 F. Ricci 2010/2011 Content Wireless communication standards Computer Networks Reference model for a network architecture Frequencies and regulations Wireless communication

689 views • 56 slides

More recommend