off-path tcp exploit: how wireless routers can jeopardize
TRANSCRIPT
![Page 1: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/1.jpg)
Off-PathTCPExploit:HowWirelessRoutersCanJeopardize
YourSecretsWeiteng Chen,Zhiyun Qian
UniversityofCalifornia,Riverside
1
![Page 2: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/2.jpg)
GenericThreatModel
Internet
C S
Mallory
ProbingPackets
FeedbackSandboxed scriptOR
Un-priviledged App
2
[1]
[2]
[1] Gilad,Yossi,andAmirHerzberg."Off-pathTCPinjectionattacks."[2]Qian,Zhiyun,Z.MorleyMao,andYinglian Xie."CollaborativeTCPsequencenumberinferenceattack:howtocracksequencenumberunderasecond."
(NotMan-in-the-Middle)
![Page 3: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/3.jpg)
Anattackusingpacketcountersidechannel
3
![Page 4: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/4.jpg)
BuildingBlocksofSideChannels
• Sharedresources• e.g.,GlobalIP-IDcounter,Packetcounter,GlobalchallengeACKratelimit
• Sharedstatechangesobservabletoattackers• e.g.,Javascript,Un-priviledged Malware
4
![Page 5: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/5.jpg)
ATime-LineofTCPInjectionAttacks
[Morris1985] [Bellovin 1989]
UnpredictableISN[RFC1948 1996]
ExploitPredictableISNs(InitialSequenceNumber)
[Watson2004]BlindResetAttacks
MinimizeACKwindow
[RFC59612010]
[Gilad 2014]BlindDataInjection
5
![Page 6: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/6.jpg)
ATime-LineofTCPInjectionAttacks (Cont)
[[lkm 2007][Amir2012]IP-IDCounterSideChannel
[Qian2012]PacketCounterSideChannel
CVE-2017-13810MacOS providesdummypacketcountersLinuxadoptsnamespace
[ThisWork2018]TimingSideChannel
[Cao2016]ChallengeACKRateLimit
SideChannel
CVE-2016-5696RandomizethecountofChallengeACK
Per-socketratelimit
WindowsfinallyeliminatesglobalIP-IDcounter
6
![Page 7: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/7.jpg)
Off-PathTCPInjectionAttacks
SideChannel Requirement AffectedOS Patch/MitigationGlobalIP-IDcounter N/A Windows GlobalIPIDcountereliminated
GlobalchallengeACKratelimit N/A Linux Globalratelimiteliminated
Packetcounter Malware Linux,MacOS Namespace/dummycounter
Wirelesscontention (thiswork) Javascript Any N/A
7
![Page 8: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/8.jpg)
RFC793:TCPPacketReceivingBasics
Connmatch
Seq #check
Ack #check
Drop
Reply
Drop
Reply
Client Server
Attacker8
SimplifiedProcessingLogic
![Page 9: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/9.jpg)
PortNumberInference
9
Client Server
Attacker
Hasconnection Noconnection
Client Server
Attacker
Howcantheattackerseethedifference?
151.101.201.67:80151.101.201.67:80
![Page 10: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/10.jpg)
Mallory Router Client
RTT
Router Mallory Server
RTT
No connection
Active connection
Probe
Query &Corresponding
Response
Dup ACK
OnePlausibleIdea
10
![Page 11: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/11.jpg)
WirelessTimingChannel
Full-duplex:
Half-duplex:
§ Half-duplex:Afundamentaldesignofwirelessprotocol§ SharedResource:Thehalf-duplexwirelesschannel
11
![Page 12: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/12.jpg)
ProbingStrategy
Client
Router
Attacker
Server
HalfDuplex
FullDuplex
X
NottriggerACKRoundTripTime
LegitimatePackets
SpoofedPackets
12
![Page 13: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/13.jpg)
ProbingStrategy(Cont)
Client
Router
Attacker
Server
HalfDuplex
FullDuplex
X
triggerACKRoundTripTime
X
LegitimatePackets
SpoofedPackets
13
![Page 14: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/14.jpg)
TimingDifference
RTT_1 RTT_2
HalfDuplex
Client
Router
Attacker
X
Pre-Probe Q
uery
Post-Probe Q
uery
No ACKs Triggering ACKs
XX
Pre-Probe Q
uery
Post-Probe Q
uery
Not Trigger ACK Trigger ACK
Delayed
Corresponding Response
Failed Transmission
Probe
Server
FullDuplex
• LargerRTTè TriggerACKè CorrectPortNumber?
![Page 15: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/15.jpg)
TimingDifference(Cont)
HalfDuplex
Client
Router
Attacker
X
Pre-Probe Q
uery
RTT_1
FullDuplex
RTT_2
No ACK Multiple ACKs
Not Trigger ACK Trigger ACK
Delayed
Corresponding Response
Failed Transmission
Probe
Post-Probe Q
uery
Pre-Probe Q
uery
Post-Probe Q
uery
X
X
X
X
Server
• MoreProbingPacketsèMoreContentionè LargerRTTS
![Page 16: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/16.jpg)
EmpiricalTestResults
• Setup:
• 4wirelessrouters:fromLinksys,Huawei,Xiaomi,andGee• 2machines:2017Macbook and2017DellDesktop(Linux)• 2.4GHzand5GHzWi-Fi
Internet
C S
MallorySandboxed
script
16
![Page 17: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/17.jpg)
EmpiricalTestResults(Cont)
(c)RTTmeasurementofmacOS using5GHznetworkofaHuaweirouter
(b)RTTmeasurementofmacOS using2.4GHznetworkofaXiaomi router
(a)RTTmeasurementofLinuxusing5GHznetworkofaLinksysrouter
17
![Page 18: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/18.jpg)
Tim
e(m
s)
Number of Packets
18Ti
me(
ms)
Number of PacketsRTTmeasurementofmacOS using5GHznetworkofaXiaomirouter
attwodifferentlocationswithRTTsover20ms
EmpiricalTestResults(Cont)
![Page 19: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/19.jpg)
PortNumberInference
19
Client Server
Attacker
Hasconnection Noconnection
Client Server
Attacker
Howcantheattackerseethedifference?
![Page 20: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/20.jpg)
SequenceNumberInference
20
Client Server
Attacker
Seq in-window Seq out-of-window
Client Server
Attacker
![Page 21: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/21.jpg)
TCPStackImplementations
Table.BehaviorsondifferentOSes whenprocessing10identicalpackets*
*:Seethecompletetableinourpaper
No. OS FLAG SEQ ACK PAYLOAD #Responses
1 Linux ACK|SYN|RST Out-of-window Any 1 10
3 Linux ACK|SYN|RST In-window >SND.MAX Any 0
10 MacOS None|ACK Out-of-window Any Any 10
11 MacOS None In-window Out-of-window Any 0
17 Windows ACK|FIN|SYN Out-of-window Any Any 10
18 Windows ACK|FIN In-window Out-of-window Any 0
21
![Page 22: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/22.jpg)
ACKNumberInference
• ImplementationsofACKnumbercheckvaries
significantlyfromoneOStoanother
• ExploitHTTPspecificationsandbehaviorsof
tolerantbrowsers
• Brute-forceACKnumber
• Onlytakesacoupleofseconds
22
![Page 23: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/23.jpg)
Evaluation
OS Browser Success Rate Avg timecost(s)
Linux Chrome/Firefox 10/10 188.80
MacOS Chrome/Firefox 10/10 48.91
Windows Chrome/Firefox 10/10 43.42
OS Browser Success Rate Avg timecost(s)
MacOS Chrome/Firefox 9/10 304.18
Remoteresult(RTT=20ms)
Localresult
23
![Page 24: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/24.jpg)
Demo:WebCachePoisoning
24
Wireless
Internet
CNN
![Page 25: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/25.jpg)
Howbad?
• TeleconferencewithIEEE802.11workinggroup• It’snotpossibletobefixedatphysicalandMAClayers!
25
![Page 26: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/26.jpg)
Defenses/Mitigations
• WirelessLayer:Full-duplexWi-FiTechnology• E.g.,Frequency-divisionduplexing,differentfrequencysub-bands
• TCPStack:RevisitTCPSpecifications• E.g.,Ratelimitresponsesforincomingpacketswithout-of-windowSEQ
• ApplicationLayer:DeployHSTS(HTTPStrictTransportSecurity)• PreventingaccessviatheinsecureHTTPprotocol
26
![Page 27: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/27.jpg)
Conclusion
• AnewtimingsidechannelinherentinallgenerationsofIEEE802.11orWi-Fitechnology• ComprehensiveanalysisofTCPstackimplementationsinmacOS,Windows,andLinux• ImplementpracticalTCPinjectionattacks• Proposepossibledefenses• https://github.com/seclab-ucr/tcp_exploit
27
![Page 28: Off-Path TCP Exploit: How Wireless Routers Can Jeopardize](https://reader033.vdocuments.net/reader033/viewer/2022061009/6299fce5adbb05695e2b76ee/html5/thumbnails/28.jpg)
Q&A
Thanksforyourattention!
28