automated analysis of wireless communication protocols
play

Automated Analysis of Wireless Communication Protocols via SDR - PowerPoint PPT Presentation

Oct 02, 2022 •347 likes •583 views

Chair for Network Architectures and Services Technische Universit at M unchen Automated Analysis of Wireless Communication Protocols via SDR Bachelor thesis colloquium Roman Leuprecht November 4, 2015 Chair for Network Architectures and

  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Automated Analysis of Wireless Communication Protocols via SDR Bachelor thesis colloquium Roman Leuprecht November 4, 2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Recap: SDR GNU Radio & The HackRF Hardware Concept Motivation Challenges Implementation ADS-B DCF-77 GSM Implementation Details Implementation Result Proposal of a new framework Conclusion Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Recap: SDR SDR is the technology of using software instead of integrated circuits in radio modules Bus A/D Amplifier Antenna Host System Conv. This enables easier and faster research and development. In this thesis we used: ◮ HackRF as transceiver hardware ◮ GNU Radio as SDR framework Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation ◮ many wireless systems are based on proprietary protocols ◮ e.g. car remotes, wireless lock systems ◮ analysis needed to discover flaws & weaknesses ◮ private and military security concerns ◮ manual analysis is time-consuming but automation may help ◮ pattern recognition ◮ maximum likelihood calculations ◮ frequency deviation and progression analysis Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Concept At first the concept was to develop a framework for completely automated communication analysis featuring: ◮ automated recognition of messages ◮ search for patterns and structures ◮ reliable identification of known protocols During the course of the thesis challenges were discovered and the concept was modified: ◮ analyze challenges & research on them in-depth ◮ design an unified approach for wireless analysis ◮ implement a first testing framework Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Challenges: Overview Digital Baseband Network Channel Modulation forming Payload Packet Code reconstruction recognition estimation Digital Network Channel Baseband Demod- Payload Packet Code Detection ulation Figure: Flowgraph of digital information [1] with the challenges indicated Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Challenges: Details The following challenges and their respective approaches to solve the problems were found: ◮ modulation recognition ◮ neuronal networks for detection ( ∼ 90% success) [2] ◮ channel code estimation ◮ linear codes: Maximum likelihood based [3] ◮ convolutional Codes: Matrix rank approach [4] ◮ packet reconstruction ◮ state machine based (ReverX, Roleplayer) [5, 6] ◮ token cluster based (Discoverer) [7] ◮ hybrid approach (ProtoX) [8] Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 7

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: ADS-B ADS-B is the official standard for broadcasting airborne information and anti collision data [9]: ◮ distributes: ◮ height & speed ◮ coordinates & direction ◮ flight number & identification ◮ 1090MHz, pulse position modulation, 1Mbps ◮ two GNU Radio implementations, none stand-alone Challenges for the implementation further were: ◮ filter design was complicated, over-sampling and then down-sampling first tried (4MSamples) ◮ dc-blocker with thresholds produces high/low signals ◮ PPM modulation not implemented in GNU Radio Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 8

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: GR-Filters vs DC Blocker This plot shows the effect of different DC-spike avoidance techniques implemented in GNU Radio: Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 9

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: DCF-77 DCF-77 broadcasts the official German time and provides a radio time service for central Europe [10, 11] ◮ 77.5KHz , proprietary modulation ◮ 1Bit/s, Frames aligned to minutes Since no working implementation at all was found, no test could be developed. Nevertheless, DCF-77 is a good example how reduced radio stacks can operate. Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 10

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: The DCF-77 customized radio stack Bits 1–14 Bits 15–20 Bits 21–28 Bits 29–35 Bits 36–58 Bits 59–60 Various Time Information Minutes Hours Date Pause – SFD Bits 36–41 Bits 42–44 Bits 58 Bits 45–49 Bits 50–57 Calendar Day Week Day Parity Month Year Figure: DCF77 payload [10] and modulation [12] Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 11

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Global System for Mobile Communications GSM is the worldwide standard for mobile communication that was also adapted to various uses, e.g. railways (GSM-R)[13] ◮ 850MHz, 900MHz, 1800MHz & 1900MHz most common bands (14 in total ranging from 380MHz to 1900MHz) ◮ minimum shift keying modulation with freq. multiplex ◮ operates on 1024 Channels (each 200kHz wide, 75% in main quad bands) For GSM the gr-gsm 1 library yielded a usable implementation that provides: ◮ channel model ◮ burst aggregation ◮ packet detection 1 https://github.com/ptrkrysik/gr-gsm Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 12

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Details The implementation faced certain problems induced by the used software ◮ GNU Radio Bug: Message Passing in Python dead-locks DSP flow at the end ◮ C++ blocks should not pass data into the surrounding Python program (may have side effects) ◮ no components to extract data for sequential tests These could be solved by using the following techniques: ◮ threaded design allows tests to run despite the deadlock ◮ data is submitted via local loop-back and UDP protocol ◮ relies on reliability of the implementation of local loopback sockets in the operating system (Linux was used) ◮ UDP approach allows interfacing with third-party programs Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 13

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Threading Start Start, Read Options threads UDP Configure Listen DSP DATA Test Executing Data DSP Join End threads Figure: The threading architecture of the Python application Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 14

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Output A sample test output written by the implemented GSM test analyzing the channel #85(952MHz) over about 20 seconds in Munich, Germany: [RESULT] GSM Discovered ( 1151 frames ) [RESULT] GSM CCCH Packet encountered 118 times ( 10.3 % ) [RESULT] GSM RACH Packet encountered 1033 times ( 89.7 % ) ◮ CCCH: Common Control Channel (GSM control handshakes and data exchange) ◮ RACH: Random Access Channel (for direct GSM system access of clients) Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 15

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Implementation: Wireshark on local loopback (lo) The extracted data can also be viewed in third party applications like Wireshark Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 16

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Proposal of a new framework Until now most papers used different implementations for their approach. This was a problem for the practical and theoretical work. A unified approach can speed up new research and development: ◮ Modules ◮ represent OSI layers ◮ contain algorithms ◮ cross layer inferfacing ◮ Data Stacks ◮ hold all data of one analysis ◮ cross layer data access ◮ independent of the implementation Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate

Wireless Communication Systems @CS.NCTU Lecture 4: MAC Protocols for WLANs Instructor: Kate Ching-Ju Lin ( ) 1 Reference 1. A Technical Tutorial on the IEEE 802.11 Protocol By Pablo Brenner online:

541 views • 42 slides
Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols

Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols

Wireless Wireless Medium Access Control Medium Access Control Protocols Protocols Telecomunicazioni Undergraduate course in Electrical Engineering University of Rome La Sapienza Rome, Italy 2007-2008 Classification of of wireless

597 views • 35 slides
When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B.

When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B.

When Users Interfere with Protocols Prospect Theory in Wireless Networks WINLAB Narayan B. Mandayam (joint work with Tianming Li) Motivation: Engineered System Design Current radio technologies and associated communication protocols are

665 views • 28 slides
Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel

Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel

Wireless Communication Systems @CS.NCTU Lecture 9: MAC Protocols for WLANs Fine-Grained Channel Access in Wireless LAN (SIGCOMM10) Instructor: Kate Ching-Ju Lin ( ) 1 Physical-Layer Data Rate PHY layer data rate in WLANs is

791 views • 21 slides
Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols

Noise Explorer Fully automated modeling, analysis and verification for arbitrary Noise protocols IACR Real World Crypto Nadim Kobeissi Symposium 2019 Karthikeyan Bhargavan San Jose, California Noise Protocol Framework: What is it? A

586 views • 23 slides
An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication

An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication

An Introduction to Wireless Technologies Part 1 F. Ricci Content Wireless communication standards Computer Networks Simple reference model Frequencies and regulations Wireless communication technologies Signal propagation

644 views • 45 slides
Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI

Communication Chapter 2 Layered Protocols (1) 2-1 Layers, interfaces, and protocols in the OSI model. 1 Layered Protocols (2) 2-2 A typical message as it appears on the network. Data Link Layer 2-3 Discussion between a receiver and a

577 views • 23 slides
Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between

Interprocess Communication (IPC) The characteristics of protocols for communication between processes in a distributed system Exploring the Middleware Layers Applications, services RMI and RPC and Request Reply Protocol Marshalling and

883 views • 64 slides
TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication

TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication Ralph Holz School of Information Technologies Faculty of Engineering & Information Technologies Team This is joint work with Johanna

678 views • 28 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu

Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu

Security Analysis on Wireless LAN protocols HORI Yoshiaki hori@csce.kyushu-u.ac.jp Kyushu University / ISIT ETRI-ISIT 1st joint seminar 1 Contents S e c u r i t y a n a l y s i s o n I E E E 8 0 2 . 1 1 i

331 views • 20 slides
Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da

WNP-MPR-Fundaments 1 Wireless Networks and Protocols MAP-Tele Manuel P. Ricardo Faculdade de Engenharia da Universidade do Porto WNP-MPR-Fundaments 2 Topics Scheduled for Today Introduction to Wireless Networks and Protocols

1.16k views • 97 slides
Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication

Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication

Ulwimo ULtimate WIreless MObility Developments within indoor wireless communication Marketpotential of the many and varying solutions Koen Mioulet Overview: 1.Ulwimo, introduction 2.Indoor wireless market dynamics 3.Indoor wireless & DAS

567 views • 28 slides
Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and

Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and

Comparative Safety Analysis of Wireless Communication Networks in Avionics Rohit Dureja and Kristin Yvonne Rozier Iowa State University Laboratory for + Temporal Logic Temporal Logic October 5, 2016 Motivation The Airbus A380 has around

323 views • 8 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and

Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and

Wireless Networks L ecture 10: LAN MAC Protocols Wireless versus Wired Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline Data link fundamentals And what changes in

743 views • 11 slides
Section 8: Carrier Modulated Transmission Convert binary data into form suited to channel

Section 8: Carrier Modulated Transmission Convert binary data into form suited to channel

University of Manchester CS3282: Digital Communications Section 8: Carrier Modulated Transmission Convert binary data into form suited to channel characteristics; i.e. usable frequency band, gain & phase distortion within usable

1.66k views • 128 slides
Formal System Design Process with UML Use a formal process & tools to facilitate and

Formal System Design Process with UML Use a formal process & tools to facilitate and

Formal System Design Process with UML Use a formal process & tools to facilitate and automate design steps: Requirements Specification System architecture Coding/chip design Testing Text: Chapter 1.4 Other resources on course web

584 views • 41 slides
Design-time application mapping and platform exploration for MP-SoC customised run-time

Design-time application mapping and platform exploration for MP-SoC customised run-time

Design-time application mapping and platform exploration for MP-SoC customised run-time management Ch. Ykman-Couvreur, V. Nollet, Th. Marescaux, E. Brockmeyer, Fr. Catthoor and H. Corporaal Abstract: In an Multi-Processor system-on-Chip (MP-SoC)

285 views • 9 slides
Dynamical Systems and Computational Mechanisms Belgium Workshop July 1-2 , 2002 Roger Brockett

Dynamical Systems and Computational Mechanisms Belgium Workshop July 1-2 , 2002 Roger Brockett

Dynamical Systems and Computational Mechanisms Belgium Workshop July 1-2 , 2002 Roger Brockett Engineering and Applied Sciences Harvard University Issues and Approach 1. Developments in fields outside electrical engineering and computer

581 views • 31 slides
NPTEL VIDEO COURSES (672) IN SUPPLEMENTARY FORMATS PDF Slides of MP4, Audio Lectures (MP3),

NPTEL VIDEO COURSES (672) IN SUPPLEMENTARY FORMATS PDF Slides of MP4, Audio Lectures (MP3),

NPTEL VIDEO COURSES (672) IN SUPPLEMENTARY FORMATS PDF Slides of MP4, Audio Lectures (MP3), Sub-Titles (SRT) No Course ID Lec Name of the NPTEL Video Course PDF MP3 SRT Discipline : Aerospace Engineering Video Lecture Topics @

684 views • 21 slides
Huffman Codes Idea: The straightforward coding an alphabet A of ASize characters into binary

Huffman Codes Idea: The straightforward coding an alphabet A of ASize characters into binary

Huffman Codes Idea: The straightforward coding an alphabet A of ASize characters into binary is to associate each character a string of log 2 ( ASize ) bits. For example, the standard ASCII character set associates with each of the

471 views • 10 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Analysis of Algorithms Analysis of Algorithms Analysis of Algorithms Piyush Piyush Kumar Kumar (Lecture 4: Compres (Lect (Lect (Lecture 4: Compres e 4: Compression e 4: Compression on) on) Welcome to 4531 Source: Guy E. Blelloch,

677 views • 23 slides

More recommend