gsm protocol fuzzing
play

GSM Protocol Fuzzing and other GSM related fun Harald Welte - PowerPoint PPT Presentation

Nov 16, 2022 •313 likes •623 views

GSM Protocol Fuzzing and other GSM related fun Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de 0sec conference, October 2009, Berne/Switzerland Harald Welte GSM Protocol Fuzzing Outline Harald Welte

  1. GSM Protocol Fuzzing and other GSM related fun Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de 0sec conference, October 2009, Berne/Switzerland Harald Welte GSM Protocol Fuzzing

  2. Outline Harald Welte GSM Protocol Fuzzing

  3. About the speaker Using + playing with Linux since 1994 Kernel / bootloader / driver / firmware development since 1999 IT security specialist, focus on network protocol security Board-level Electrical Engineering Always looking for interesting protocols (RFID, DECT, GSM) Harald Welte GSM Protocol Fuzzing

  4. GSM/3G protocol security Observation Both GSM/3G and TCP/IP protocol specs are publicly available The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny GSM networks are as widely deployed as the Internet Yet, GSM/3G protocols receive no such scrutiny! There are reasons for that: GSM industry is extremely closed (and closed-minded) Only about 4 closed-source protocol stack implementations GSM chipset makers never release any hardware documentation Harald Welte GSM Protocol Fuzzing

  5. The closed GSM industry Handset manufacturing side Only very few companies build GSM/3.5G baseband chips today Those companies buy the operating system kernel and the protocol stack from third parties Only very few handset makers are large enough to become a customer Even they only get limited access to hardware documentation Even they never really get access to the firmware source Harald Welte GSM Protocol Fuzzing

  6. The closed GSM industry Network manufacturing side Only very few companies build GSM network equipment Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment Only operators buy equipment from them Since the quantities are low, the prices are extremely high e.g. for a BTS, easily 10-40k EUR Harald Welte GSM Protocol Fuzzing

  7. The closed GSM industry Operator side Operators are mainly banks today Typical operator outsources Billing Network planning / deployment / servicing Operator just knows the closed equipment as shipped by manufacturer Very few people at an operator have knowledge of the protocol beyond what’s needed for operations and maintenance Harald Welte GSM Protocol Fuzzing

  8. The closed GSM industry Security implications The security implications of the closed GSM industry are: Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers No independent research on protocol-level security If there’s security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis) Or on application level (e.g. mobile malware) No open source protocol implementations which are key for making more people learn about the protocols which enable quick prototyping/testing by modifying existing code Harald Welte GSM Protocol Fuzzing

  9. Security analysis of GSM How would you get started? If you were to start with GSM protocol level security analysis, where and how would you start? On the handset side? Difficult since GSM firmware and protocol stacks are closed and proprietary Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too Known attempts The TSM30 project as part of the THC GSM project mados, an alternative OS for Nokia DTC3 phones none of those projects successful so far Harald Welte GSM Protocol Fuzzing

  10. Security analysis of GSM How would you get started? If you were to start with GSM protocol level security analysis, where and how would you start? On the network side? Difficult since equipment is not easily available and normally extremely expensive However, network is very modular and has many standardized/documented interfaces Thus, if equipment is available, much easier/faster progress Harald Welte GSM Protocol Fuzzing

  11. Security analysis of GSM The bootstrapping process Read GSM specs day and night (> 1000 PDF documents) Gradually grow knowledge about the protocols Obtain actual GSM network equipment (BTS) Try to get actual protocol traces as examples Start a complete protocol stack implementation from scratch Finally, go and play with GSM protocol security Harald Welte GSM Protocol Fuzzing

  12. The GSM network Harald Welte GSM Protocol Fuzzing

  13. GSM network components The BSS (Base Station Subsystem) MS (Mobile Station): Your phone BTS (Base Transceiver Station): The cell tower BSC (Base Station Controller): Controlling up to hundreds of BTS The NSS (Network Sub System) MSC (Mobile Switching Center): The central switch HLR (Home Location Register): Database of subscribers AUC (Authentication Center): Database of authentication keys VLR (Visitor Location Register): For roaming users EIR (Equipment Identity Register): To block stolen phones Harald Welte GSM Protocol Fuzzing

  14. GSM network interfaces Um: Interface between MS and BTS the only interface that is specified over radio A-bis: Interface between BTS and BSC A: Interface between BSC and MSC B: Interface between MSC and other MSC GSM networks are a prime example of an asymmetric distributed network, very different from the end-to-end transparent IP network. Harald Welte GSM Protocol Fuzzing

  15. GSM network protocols On the Um interface Layer 1: Radio Layer, TS 04.04 Layer 2: LAPDm, TS 04.06 Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08 Layer 4+: for USSD, SMS, LCS, ... Harald Welte GSM Protocol Fuzzing

  16. GSM network protocols On the A-bis interface Layer 1: Typically E1 line, TS 08.54 Layer 2: A variant of ISDN LAPD with fixed TEI’s, TS 08.56 Layer 3: OML (Organization and Maintenance Layer, TS 12.21) Layer 3: RSL (Radio Signalling Link, TS 08.58) Layer 4+: transparent messages that are sent to the MS via Um Harald Welte GSM Protocol Fuzzing

  17. Implementing GSM protocols How I got started! In September 2008, we were first able to make the BTS active and see it on a phone This is GSM900 BTS with 2 TRX at 2W output power (each) A 48kg monster with attached antenna 200W power consumption, passive cooling E1 physical interface I didn’t have much time at the time (day job at Openmoko) Started to read up on GSM specs whenever I could Bought a HFC-E1 based PCI E1 controller, has mISDN kernel support Found somebody in the GSM industry who provided protocol traces Harald Welte GSM Protocol Fuzzing

  18. Implementing GSM protocols Timeline In November 2008, I started the development of OpenBSC In December 2008, we did a first demo at 25C3 In January 2009, we had full voice call support In June 2009, I started with actual security related stuff In August 2009, we had the first field test with 2BTS and > 860 phones Harald Welte GSM Protocol Fuzzing

  19. Security analysis of GSM OpenBSC What is OpenBSC A GSM network in a box software Implements minimal subset of BSC, MSC, HLR, SMSC Is Free and Open Source Software licensed under GNU GPL Supports Siemens BS-11 BTS (E1) and ip.access nanoBTS (IP based) Has classic 2G signalling, voice and SMS support Implements various GSM protocols like A-bis RSL (TS 08.58) and OML (TS 12.21) TS 04.08 Radio Resource, Mobility Management, Call Control TS 04.11 Short Message Service Harald Welte GSM Protocol Fuzzing

  20. Known GSM security problems Scientific papers, etc No mutual authentication between phone and network leads to rogue network attacks leads to man-in-the-middle attacks is what enables IMSI-catchers Weak encryption algorithms Encryption is optional, user does never know when it’s active or not DoS of the RACH by means of channel request flooding RRLP (Radio Resource Location Protocol) the network can obtain GPS fix or even raw GSM data from the phone combine that with the network not needing to authenticate itself Harald Welte GSM Protocol Fuzzing

  21. Known GSM security problems The Baseband side GSM protocol stack always runs in a so-called baseband processor (BP) What is the baseband processor Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones) Runs some RTOS (often Nucleus, sometimes L4) No memory protection between tasks Some kind of DSP , model depends on vendor Runs the digital signal processing for the RF Layer 1 Has hardware peripherals for A5 encryption The software stack on the baseband processor is written in C and assembly lacks any modern security features (stack protection, non-executable pages, address space randomization, ..) Harald Welte GSM Protocol Fuzzing

  22. Interesting observations Learned from implementing the stack While developing OpenBSC, we observed a number of interesting Many phones use their TMSI from the old network when they roam to a new network Various phones crash when confronted with incorrect messages. We didn’t even start to intentionally send incorrect messages (!) There are tons of obscure options on the GSM spec which no real network uses. Potential attack vector by using rarely tested code paths. Harald Welte GSM Protocol Fuzzing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

865 views • 53 slides
Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing

Automatic Discovery of Evasion Vulnerabilities Using Targeted Protocol Fuzzing antti.levomaki@forcepoint.com opi@forcepoint.com WHO? ANTTI LEVOMKI OLLI-PEKKA NIEMI Research Scientist Director of Research WHAT? NETWORK EVASIONS +

463 views • 18 slides
Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp,

Fuzzing and protocol analysis case-study of DNP3 Adam Crain, Automatak Developed by Harris Corp, handed over to a vendor-neutral User Group in 1993. Many features have been bolted on, including security. Layered Architecture IED/RTU or

469 views • 24 slides
Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky.

Systematic Fuzzing and Testing of TLS Libraries Juraj Somorovsky 1 Juraj j Somorovsky vsky. . Syste temat atic Fuzzing and Testing g of TLS Libraries es 1 Transport Layer Security The most important crypto protocol HTTP, SMTP,

467 views • 43 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
DIGITAL TELEVISION DIGITAL TELEVISION Fernando Pereira Instituto Superior Tcnico Audiovisual

DIGITAL TELEVISION DIGITAL TELEVISION Fernando Pereira Instituto Superior Tcnico Audiovisual

DIGITAL TELEVISION DIGITAL TELEVISION Fernando Pereira Instituto Superior Tcnico Audiovisual Communications, Fernando Pereira, 2012 The Analogue TV World The Analogue TV World The Analogue TV World The Analogue TV World NTSC PAL SECAM

2.29k views • 186 slides
Chapter 1: Introduction Our goal: Overview: get feel and whats the Internet? t

Chapter 1: Introduction Our goal: Overview: get feel and whats the Internet? t

Chapter 1: Introduction Our goal: Overview: get feel and whats the Internet? t terminology i l whats a protocol? more depth, detail network edge: hosts, access later in course nets, physical media approach:

651 views • 46 slides
Chapter 1 Introduction Adapted from Computer Networking: A Top Down Approach, 6th edition,

Chapter 1 Introduction Adapted from Computer Networking: A Top Down Approach, 6th edition,

Chapter 1 Introduction Adapted from Computer Networking: A Top Down Approach, 6th edition, Jim Kurose, Keith Ross Addison-Wesley, March 2012 Introduction 1-1 Chapter 1: introduction Review : what s the Internet? what s a

1.01k views • 59 slides
3/ The team Communication Networks and Protocols* Bibiliography Bibiliography Kurose &

3/ The team Communication Networks and Protocols* Bibiliography Bibiliography Kurose &

569 views • 10 slides
Mobile Communication Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab, LMU

Mobile Communication Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab, LMU

MMI 2: Mobile Human- Computer Interaction Mobile Communication Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de Mobile Interaction Lab, LMU Mnchen Lectures # Date Topic 1 19.10.2011 Introduction to Mobile Interaction, Mobile Device

1.09k views • 87 slides
Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Outline Public key

328 views • 10 slides
Technology Transfer from Security Research Projects A Personal Perspective N. Asokan Aalto

Technology Transfer from Security Research Projects A Personal Perspective N. Asokan Aalto

Technology Transfer from Security Research Projects A Personal Perspective N. Asokan Aalto University & University of Helsinki http://asokan.org/asokan/research Five examples Optimistic Fair Exchange Generic Authentication

943 views • 57 slides
I nternet , intranet and W eb L ecture I T echnologies and protocols for application

I nternet , intranet and W eb L ecture I T echnologies and protocols for application

I nternet , intranet and W eb L ecture I T echnologies and protocols for application communications Marco Solieri marco.solieri@lipn.univ-paris13.fr Info et Rseaux en Apprentissage, Sup Galile, Paris 13 November 3 rd, 2014 O utline 1 C

811 views • 53 slides

More recommend