off-path tcp exploit: how wireless routers can jeopardize
TRANSCRIPT
Off-PathTCPExploit:HowWirelessRoutersCanJeopardize
YourSecretsWeiteng Chen,Zhiyun Qian
UniversityofCalifornia,Riverside
1
GenericThreatModel
Internet
C S
Mallory
ProbingPackets
FeedbackSandboxed scriptOR
Un-priviledged App
2
[1]
[2]
[1] Gilad,Yossi,andAmirHerzberg."Off-pathTCPinjectionattacks."[2]Qian,Zhiyun,Z.MorleyMao,andYinglian Xie."CollaborativeTCPsequencenumberinferenceattack:howtocracksequencenumberunderasecond."
(NotMan-in-the-Middle)
Anattackusingpacketcountersidechannel
3
BuildingBlocksofSideChannels
• Sharedresources• e.g.,GlobalIP-IDcounter,Packetcounter,GlobalchallengeACKratelimit
• Sharedstatechangesobservabletoattackers• e.g.,Javascript,Un-priviledged Malware
4
ATime-LineofTCPInjectionAttacks
[Morris1985] [Bellovin 1989]
UnpredictableISN[RFC1948 1996]
ExploitPredictableISNs(InitialSequenceNumber)
[Watson2004]BlindResetAttacks
MinimizeACKwindow
[RFC59612010]
[Gilad 2014]BlindDataInjection
5
ATime-LineofTCPInjectionAttacks (Cont)
[[lkm 2007][Amir2012]IP-IDCounterSideChannel
[Qian2012]PacketCounterSideChannel
CVE-2017-13810MacOS providesdummypacketcountersLinuxadoptsnamespace
[ThisWork2018]TimingSideChannel
[Cao2016]ChallengeACKRateLimit
SideChannel
CVE-2016-5696RandomizethecountofChallengeACK
Per-socketratelimit
WindowsfinallyeliminatesglobalIP-IDcounter
6
Off-PathTCPInjectionAttacks
SideChannel Requirement AffectedOS Patch/MitigationGlobalIP-IDcounter N/A Windows GlobalIPIDcountereliminated
GlobalchallengeACKratelimit N/A Linux Globalratelimiteliminated
Packetcounter Malware Linux,MacOS Namespace/dummycounter
Wirelesscontention (thiswork) Javascript Any N/A
7
RFC793:TCPPacketReceivingBasics
Connmatch
Seq #check
Ack #check
Drop
Reply
Drop
Reply
Client Server
Attacker8
SimplifiedProcessingLogic
PortNumberInference
9
Client Server
Attacker
Hasconnection Noconnection
Client Server
Attacker
Howcantheattackerseethedifference?
151.101.201.67:80151.101.201.67:80
Mallory Router Client
RTT
Router Mallory Server
RTT
No connection
Active connection
Probe
Query &Corresponding
Response
Dup ACK
OnePlausibleIdea
10
WirelessTimingChannel
Full-duplex:
Half-duplex:
§ Half-duplex:Afundamentaldesignofwirelessprotocol§ SharedResource:Thehalf-duplexwirelesschannel
11
ProbingStrategy
Client
Router
Attacker
Server
HalfDuplex
FullDuplex
X
NottriggerACKRoundTripTime
LegitimatePackets
SpoofedPackets
12
ProbingStrategy(Cont)
Client
Router
Attacker
Server
HalfDuplex
FullDuplex
X
triggerACKRoundTripTime
X
LegitimatePackets
SpoofedPackets
13
TimingDifference
RTT_1 RTT_2
HalfDuplex
Client
Router
Attacker
X
Pre-Probe Q
uery
Post-Probe Q
uery
No ACKs Triggering ACKs
XX
Pre-Probe Q
uery
Post-Probe Q
uery
Not Trigger ACK Trigger ACK
Delayed
Corresponding Response
Failed Transmission
Probe
Server
FullDuplex
• LargerRTTè TriggerACKè CorrectPortNumber?
TimingDifference(Cont)
HalfDuplex
Client
Router
Attacker
X
Pre-Probe Q
uery
RTT_1
FullDuplex
RTT_2
No ACK Multiple ACKs
Not Trigger ACK Trigger ACK
Delayed
Corresponding Response
Failed Transmission
Probe
Post-Probe Q
uery
Pre-Probe Q
uery
Post-Probe Q
uery
X
X
X
X
Server
• MoreProbingPacketsèMoreContentionè LargerRTTS
EmpiricalTestResults
• Setup:
• 4wirelessrouters:fromLinksys,Huawei,Xiaomi,andGee• 2machines:2017Macbook and2017DellDesktop(Linux)• 2.4GHzand5GHzWi-Fi
Internet
C S
MallorySandboxed
script
16
EmpiricalTestResults(Cont)
(c)RTTmeasurementofmacOS using5GHznetworkofaHuaweirouter
(b)RTTmeasurementofmacOS using2.4GHznetworkofaXiaomi router
(a)RTTmeasurementofLinuxusing5GHznetworkofaLinksysrouter
17
Tim
e(m
s)
Number of Packets
18Ti
me(
ms)
Number of PacketsRTTmeasurementofmacOS using5GHznetworkofaXiaomirouter
attwodifferentlocationswithRTTsover20ms
EmpiricalTestResults(Cont)
PortNumberInference
19
Client Server
Attacker
Hasconnection Noconnection
Client Server
Attacker
Howcantheattackerseethedifference?
SequenceNumberInference
20
Client Server
Attacker
Seq in-window Seq out-of-window
Client Server
Attacker
TCPStackImplementations
Table.BehaviorsondifferentOSes whenprocessing10identicalpackets*
*:Seethecompletetableinourpaper
No. OS FLAG SEQ ACK PAYLOAD #Responses
1 Linux ACK|SYN|RST Out-of-window Any 1 10
3 Linux ACK|SYN|RST In-window >SND.MAX Any 0
10 MacOS None|ACK Out-of-window Any Any 10
11 MacOS None In-window Out-of-window Any 0
17 Windows ACK|FIN|SYN Out-of-window Any Any 10
18 Windows ACK|FIN In-window Out-of-window Any 0
21
ACKNumberInference
• ImplementationsofACKnumbercheckvaries
significantlyfromoneOStoanother
• ExploitHTTPspecificationsandbehaviorsof
tolerantbrowsers
• Brute-forceACKnumber
• Onlytakesacoupleofseconds
22
Evaluation
OS Browser Success Rate Avg timecost(s)
Linux Chrome/Firefox 10/10 188.80
MacOS Chrome/Firefox 10/10 48.91
Windows Chrome/Firefox 10/10 43.42
OS Browser Success Rate Avg timecost(s)
MacOS Chrome/Firefox 9/10 304.18
Remoteresult(RTT=20ms)
Localresult
23
Demo:WebCachePoisoning
24
Wireless
Internet
CNN
Howbad?
• TeleconferencewithIEEE802.11workinggroup• It’snotpossibletobefixedatphysicalandMAClayers!
25
Defenses/Mitigations
• WirelessLayer:Full-duplexWi-FiTechnology• E.g.,Frequency-divisionduplexing,differentfrequencysub-bands
• TCPStack:RevisitTCPSpecifications• E.g.,Ratelimitresponsesforincomingpacketswithout-of-windowSEQ
• ApplicationLayer:DeployHSTS(HTTPStrictTransportSecurity)• PreventingaccessviatheinsecureHTTPprotocol
26
Conclusion
• AnewtimingsidechannelinherentinallgenerationsofIEEE802.11orWi-Fitechnology• ComprehensiveanalysisofTCPstackimplementationsinmacOS,Windows,andLinux• ImplementpracticalTCPinjectionattacks• Proposepossibledefenses• https://github.com/seclab-ucr/tcp_exploit
27
Q&A
Thanksforyourattention!
28