Automated Analysis of Wireless Communication Protocols via SDR - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Automated Analysis of Wireless Communication Protocols via SDR

Bachelor thesis colloquium Roman Leuprecht

November 4, 2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 1

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Recap: SDR

GNU Radio & The HackRF Hardware

Concept

Motivation Challenges

Implementation

ADS-B DCF-77 GSM Implementation Details Implementation Result

Proposal of a new framework Conclusion

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 2

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Recap: SDR SDR is the technology of using software instead of integrated circuits in radio modules Amplifier A/D Conv. Bus System Host Antenna This enables easier and faster research and development. In this thesis we used:

◮ HackRF as transceiver hardware ◮ GNU Radio as SDR framework

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 3

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Motivation

◮ many wireless systems are based on proprietary protocols

◮ e.g. car remotes, wireless lock systems

◮ analysis needed to discover flaws & weaknesses

◮ private and military security concerns

◮ manual analysis is time-consuming but automation may

help

◮ pattern recognition ◮ maximum likelihood calculations ◮ frequency deviation and progression analysis Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 4

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Concept At first the concept was to develop a framework for completely automated communication analysis featuring:

◮ automated recognition of messages ◮ search for patterns and structures ◮ reliable identification of known protocols

During the course of the thesis challenges were discovered and the concept was modified:

◮ analyze challenges & research on them in-depth ◮ design an unified approach for wireless analysis ◮ implement a first testing framework

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 5

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Challenges: Overview

Digital Payload Network Packet Channel Code Baseband forming Modulation Demod- ulation Baseband Detection Channel Code Network Packet Digital Payload reconstruction estimation recognition Figure: Flowgraph of digital information [1] with the challenges indicated

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 6

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Challenges: Details The following challenges and their respective approaches to solve the problems were found:

◮ modulation recognition

◮ neuronal networks for detection (∼90% success) [2]

◮ channel code estimation

◮ linear codes: Maximum likelihood based [3] ◮ convolutional Codes: Matrix rank approach [4]

◮ packet reconstruction

◮ state machine based (ReverX, Roleplayer) [5, 6] ◮ token cluster based (Discoverer) [7] ◮ hybrid approach (ProtoX) [8] Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 7

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: ADS-B ADS-B is the official standard for broadcasting airborne information and anti collision data [9]:

◮ distributes:

◮ height & speed ◮ coordinates & direction ◮ flight number & identification

◮ 1090MHz, pulse position modulation, 1Mbps ◮ two GNU Radio implementations, none stand-alone

Challenges for the implementation further were:

◮ filter design was complicated, over-sampling and then

down-sampling first tried (4MSamples)

◮ dc-blocker with thresholds produces high/low signals ◮ PPM modulation not implemented in GNU Radio

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 8

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: GR-Filters vs DC Blocker This plot shows the effect of different DC-spike avoidance techniques implemented in GNU Radio:

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 9

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: DCF-77 DCF-77 broadcasts the official German time and provides a radio time service for central Europe [10, 11]

◮ 77.5KHz , proprietary modulation ◮ 1Bit/s, Frames aligned to minutes

Since no working implementation at all was found, no test could be developed. Nevertheless, DCF-77 is a good example how reduced radio stacks can operate.

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 10

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: The DCF-77 customized radio stack

Bits 1–14 Various Bits 15–20 Time Information Bits 21–28 Minutes Bits 29–35 Hours Bits 36–58 Date Bits 59–60 Pause – SFD Bits 36–41 Calendar Day Bits 42–44 Week Day Bits 45–49 Month Bits 50–57 Year Bits 58 Parity

Figure: DCF77 payload [10] and modulation [12]

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 11

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: Global System for Mobile Communications GSM is the worldwide standard for mobile communication that was also adapted to various uses, e.g. railways (GSM-R)[13]

◮ 850MHz, 900MHz, 1800MHz & 1900MHz most common

bands (14 in total ranging from 380MHz to 1900MHz)

◮ minimum shift keying modulation with freq. multiplex ◮ operates on 1024 Channels (each 200kHz wide, 75% in

main quad bands) For GSM the gr-gsm1 library yielded a usable implementation that provides:

◮ channel model ◮ burst aggregation ◮ packet detection

1https://github.com/ptrkrysik/gr-gsm

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 12

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: Details The implementation faced certain problems induced by the used software

◮ GNU Radio Bug: Message Passing in Python dead-locks

DSP flow at the end

◮ C++ blocks should not pass data into the surrounding

Python program (may have side effects)

◮ no components to extract data for sequential tests

These could be solved by using the following techniques:

◮ threaded design allows tests to run despite the deadlock ◮ data is submitted via local loop-back and UDP protocol ◮ relies on reliability of the implementation of local loopback

sockets in the operating system (Linux was used)

◮ UDP approach allows interfacing with third-party programs

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 13

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: Threading Start, Read Options Start threads Configure DSP Executing DSP UDP Listen Test Data Join threads End DATA

Figure: The threading architecture of the Python application

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 14

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: Output A sample test output written by the implemented GSM test analyzing the channel #85(952MHz) over about 20 seconds in Munich, Germany: [RESULT] GSM Discovered ( 1151 frames ) [RESULT] GSM CCCH Packet encountered 118 times ( 10.3 % ) [RESULT] GSM RACH Packet encountered 1033 times ( 89.7 % )

◮ CCCH: Common Control Channel (GSM control

handshakes and data exchange)

◮ RACH: Random Access Channel (for direct GSM system

access of clients)

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 15

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Implementation: Wireshark on local loopback (lo) The extracted data can also be viewed in third party applications like Wireshark

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 16

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Proposal of a new framework Until now most papers used different implementations for their

• approach. This was a problem for the practical and theoretical
• work. A unified approach can speed up new research and

development:

◮ Modules

◮ represent OSI layers ◮ contain algorithms ◮ cross layer inferfacing

◮ Data Stacks

◮ hold all data of one analysis ◮ cross layer data access ◮ independent of the implementation Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 17

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Framework Components Frame Data Burst Recog- nition Frame Recog- nition Encoded Data Linear Recog- nition Conv. Recog- nition Raw Data Base- band Search Mod. Recog- nition Level 3 Module Level 2 Module Level 1 Module Data Stack

Figure: Proposed framework architecture with three layers and components, e.g. frame recognition of modulation recognition

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 18

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Conclusion In the scope of this thesis the following was accomplished:

◮ inspection of wired communication analysis algorithms and

their usefulness for radio stacks

◮ examination of different challenges and solutions for blind

wireless analysis

◮ implementation of a first testing framework as a proof of

concept for the encapsulation of tests and implementations for wireless analysis Future work includes

◮ develop more tests and DSP implementations ◮ implement formal approaches listed in the paper ◮ implement the full-scale framework

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 19

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Thank You!

Any Questions?

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 20

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Bibliography I

[1] R. K¨

• tter J. Hagenauer. Skriptum zur Vorlesung Nachrichtentechnik 1, 2009.

[2] Zhao Yaqin, Ren Guanghui, Wang Xuexia, Wu Zhilu, and Gu Xuemai. Automatic digital modulation recognition using artificial neural networks. In Neural Networks and Signal Processing, 2003. Proceedings of the 2003 International Conference

• n, volume 1, 2003.

[3] Antoine Valembois. Detection and recognition of a binary linear code. In Discrete Applied Mathematics, volume 111, 2001. [4] M. Marazin, R. Gautier, and G. Burel. Dual Code Method for Blind Identification of Convolutional Encoder for Cognitive Radio Receiver Design. In GLOBECOM Workshops, 2009 IEEE, pages 1–6, Nov 2009. [5] Paulo Verissimo Jo˜ ao Antunes, Nuno Ferreira Neves. ReverX: Reverse Engineering of Protocols. Technical report, LASIGE, University of Lisboa, Portugal, 2011. [6] Weidong Cui, Vern Paxson, Nicholas Weaver, and Randy H. Katz. Protocol-Independent Adaptive Replay of Application Dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006. [7] Weidong Cui, Jayanthkumar Kannan, and Helen J. Wang. Discoverer: Automatic Protocol Reverse Engineering from Network Traces. In Proceedings of the 16th USENIX Security Symposium, 2007.

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 21

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Bibliography II

[8] Markus Dauberschmidt. Automated Protocol Reverse Engineering. Master’s thesis, Technische Universit¨ at M¨ unchen, 2012. [9] Greg Dunstone. ADS-B Technology basics. http://www.icao.int/APAC/Meetings/2010/adsb/sp14.pdf. Accessed: 2015-10-07. [10] Andreas Bauch Dirk Piester, Peter Hetzel. Zeit- und Normalfrequenzverbreitung mit DCF77. http://www.ptb.de/cms/fileadmin/internet/fachabteilungen/ abteilung 4/4.4 zeit und frequenz/4.42/dcf77.pdf. Accessed: 2015-10-07. [11] Cyber Sciences. Overview of DCF77 Time Protocol. http://www.cyber-sciences.com/documents/TN-103 DCF77.pdf. Accessed: 2015-10-07. [12] Technische Universit¨ at Braunschweig. Zeitsynchronisation. Accessed: 2015-11-01. [13] ETSI TC-SMG. Digital cellular telecommunications system (Phase 2+); Physical layer on the radio path; General description. Technical report, European Telecommunications Standards Institute, 1996.

Technische Universit¨ at M¨ unchen – Chair for Network Architectures and Services 22