remote physical device fingerprinting
DESCRIPTION
Remote Physical Device Fingerprinting. Authors: Tadayoshi Kohno, Andre Broido, KC Claffy Presented: IEEE Symposium on Security and Privacy, 2005 Kishore Padma Raju. OUTLINE. Introduction and Prerequisites Techniques Investigations Applications Conclusion Strengths and Weaknesses. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/1.jpg)
Remote Physical Device Fingerprinting
Authors: Tadayoshi Kohno, Andre Broido, KC Claffy Presented: IEEE Symposium on Security and
Privacy, 2005Kishore Padma Raju
![Page 2: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/2.jpg)
OUTLINE
1. Introduction and Prerequisites2. Techniques3. Investigations4. Applications5. Conclusion6. Strengths and Weaknesses
![Page 3: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/3.jpg)
Introduction and Prerequisites• Fingerprinting– Fingerprinter– fingerprintee
• There are a number of reliable techniques for remote operating system fingerprinting– nmap– Xprobe
• One step further: remotely fingerprint a physical device without that device's known cooperation
![Page 4: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/4.jpg)
Introduction and Prerequisites
• Three different techniques– Active fingerprinting• Fingerprinter initiates the connection
– Semi passive • After fingerprintee initiates the connection
fingerprinter interacts
– Passive• Observes traffic from fingerprintee
![Page 5: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/5.jpg)
Introduction and Prerequisites• Parameter(microscopic deviations in device)– Clock skew
• A standard clock circuit uses crystal oscillator, similar to any modern wristwatch, some amount of imprecision and thus exhibit drift over time.– offset = time reported – true time
• Clock skew– S = d Offset(t) / dt• Measured in PPM(μs/s)
![Page 6: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/6.jpg)
Introduction and Prerequisites• How much skew?
– +/- 4 seconds a day common– (25 minutes a year)
• Importantly, paper argues skew of a device is (generally) consistent and distinctive to that device– Thus can use as a fingerprint for this device
24 hours later
![Page 7: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/7.jpg)
OUTLINE
1. Introduction and Prerequisites2. Techniques– Exploiting the TCP TSopt (passive)– The semi-passive technique– Exploiting ICMP Timestamp Requests (active)
3. Investigations4. Applications5. Conclusion6. Strengths and Weaknesses
![Page 8: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/8.jpg)
Exploiting the TCP TSopt
• TSopt– 32-bit timestamp contained in each packet– clock that is “at least approximately proportional
to real time”– Usually reset to zero upon reboot– Usually not affected by changes to the device's
system clock
![Page 9: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/9.jpg)
Exploiting the TCP TSopt
• The measurer – any entity capable of observing TCP packets from the fingerprintee
• Create a trace of TCP packets from fingerprintee• For each packet plot a point– X value: Amount of actual time passed between reception
of first packet in trace and the current packet– Y value: The offset observed for this packet, based on
timestamp
![Page 10: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/10.jpg)
TSopt clock skew estimates for two sources from a OC-48 link of a US Tier 1 ISP over a two hour period.
![Page 11: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/11.jpg)
Exploiting the TCP TSopt
• Use linear programming to determine the equation of the line y = αx + β that best upper-bounds this set of points– α is the estimate of the clock skew– β is an initial observed offset
![Page 12: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/12.jpg)
The semi-passive technique
• Windows 2000 and XP machines do not set timestamp flag in their initial SYN packets
• RFC 1323 mandates that none of the following TCP packets in the connection can include timestamp
• Thus, previous approach will not work if a Windows machine is behind NAT, firewall
![Page 13: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/13.jpg)
The semi-passive technique
• Paper’s trick: The measurer includes timestamp in the responding SYN/ACK packet
• Windows machines then include timestamp in all subsequent packets of this connection
SYNSYN, TSopt
SYN, TSopt
![Page 14: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/14.jpg)
ICMP Timestamps
• Reports value of system clock (milliseconds past midnight)
• RFC 792 requires frequency is 1000 Hz (1 ms resolution)
• If system clock is updated via NTP regularly, will be relatively accurate– However, most hosts do so infrequently
![Page 15: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/15.jpg)
Exloiting ICMP Timestamp Requests (Active Approach)
• The measurer: entity capable of sending ICMP Timestamp Request and storing the fingerprintee's subsequent ICMP Timestamp Reply messages
• Limitation: Fingerprintee must not be behind a firewall that filters ICMP
• Estimation of clock skew is similar to that in TSopt methods.
![Page 16: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/16.jpg)
QUESTIONS CLOCK SKEW
• What is the distribution of clock skews among devices?
• How stable are these clock skews over time?• Can these clock skews be measured
accurately, independent of network topology and access technology?
![Page 17: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/17.jpg)
OUTLINE1. Introduction and Prerequisites2. Techniques3. Investigations– Distribution of clock skews– Stability of clock skews– Independence of access technology and topology– Independence of distance and of measurer– Effects of OS, NTP and other features
4. Applications5. Conclusion6. Strengths and Weaknesses
![Page 18: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/18.jpg)
Distribution of clock skews-Experiment 1
Figure 1: Histogram of TSopt clock skew estimates for sources in a 2 hour network trace from a OC-48 link of a US Tier 1 ISP. (Considered only sources that sent packet over a period of at least 50 minutes per hour, and sent at least 2000 packets per hour.)
![Page 19: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/19.jpg)
Distribution of clock skews
• Could this skew simply reflect different operating system and hardware configurations?
• To answer this, TSopt clock offsets were measured for 69 Pentium II machines running Windows XP SP1 over 38 days
• 48 TCP packets with timestamp per hour
![Page 20: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/20.jpg)
Distribution of clock skews - Experiment 2
![Page 21: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/21.jpg)
Stability of Clock Skews
• Use the traces from Experiment 2:– divided them into 12- and 24- hour periods– compared all periods of same length for each machine
• Differences between maximum and minimum clock skew estimated for one machine:– 12-hour periods: 1.29 – 7.33 ppm– 24-hour periods: 0.00 – 4.05 ppm
• Clock skews are rather constant over time– Other experiments with modern processors support
this observation
![Page 22: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/22.jpg)
Independence of Access Technology
Experiment 3: Connected laptop at different locations via multiple access technologies to the internet
• The measurer host1 remained the same and was synchronized via NTP
• laptop was not synchronized via NTP• Skew estimates all within a fraction of a ppm of each other:
![Page 23: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/23.jpg)
Independence of Network Topology
• Experiment 4: 10 PlanetLab machines in USA, Canada, Switzerland, India and Singapore with approximately accurate system times
• Laptop again as fingerprintee• Skew estimates all within 0.4 ppm of each other (except IIT, India, with
additional 1.2 ppm)
![Page 24: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/24.jpg)
Effects of OS and other featuresStart time Operating
System NTP skew estimate
(TCP tstamps) skew estimate(ICMP tstamps)
2004-09-22, 12:00 PDT2004-09-17, 08:00 PDT2004-09-22, 21:00 PDT2004-09-23, 21:00 PDT
Red Hat 9.0Red Hat 9.0Windows XP SP2Windows XP SP2
NOYESNOYES
-58.20 ppm-58.16 ppm-85.20 ppm-85.54 ppm
-58.16 ppm-0.14 ppm-85.42 ppm1.69 ppm
![Page 25: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/25.jpg)
Applications
• Distinguish virtual honeynets from real networks and virtual hosts from real ones
• Counting the number of devices behind a Firewall
• Forensics – eg. argue that a given device was not involved in a
recorded event• Tracking individual devices (with some
probability)
![Page 26: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/26.jpg)
Strengths
• Shows that it is possible to extract relevant security information from data considered noise
• Approach could be used with any other protocols that leak information about a device’s clock
![Page 27: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/27.jpg)
Weaknesses• Further experimentation required– Laptop running Windows XP SP2 has a noticeably different
TSopt clock skew after switching to battery power– Newer processors throttle their speeds based on
temperature and load, affects voltage from power supply• Easy to circumvent particular methods– echo 0 > /proc/sys/net/ipv4/tcp_timestamps– Randomize TSopt timestamp– Filter ICMP timestamp
![Page 28: Remote Physical Device Fingerprinting](https://reader035.vdocuments.net/reader035/viewer/2022062308/56812fa6550346895d9525b3/html5/thumbnails/28.jpg)
Improvements
• Utilization of approach with other protocols that leak information about a device’s clock
• Use of profiling in combination with skew data– Skew is within a certain range and machine visits
certain websites frequently– OS profiling techniques