Yan Chen, Hai Zhou

1
Automatic Vulnerability Analysis and Intrusion
Mitigation Systems for WiMAX Networks

• Yan Chen, Hai Zhou
• Northwestern Lab for Internet and Security
  Technology (LIST)
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University
• http//list.cs.northwestern.edu

Motorola Liaisons Greg W. Cox, Z. Judy Fu, Peter
McCann, and Philip R. Roberts Motorola Labs
2
The Spread of Sapphire/Slammer Worms
3
Outline

• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Achievement highlight a Mobile IPv6 vulnerability

4
The Current Threat Landscape and Countermeasures
of WiMAX Networks

• WiMAX next wireless phenomenon
• Predicted multi-billion dollar industry
• WiMAX faces both Internet attacks and wireless
  network attacks
• E.g., 6 new viruses, including Cabir and Skulls,
  with 30 variants targeting mobile devices
• Goal of this project secure WiMAX networks
• Big security risks for WiMAX networks
• No formal analysis about WiMAX security
  vulnerabilities
• No intrusion detection/mitigation
  product/research tailored towards WiMAX networks

5
Our Approach

• Vulnerability analysis of 802.16e specs and WiMAX
  standards
• Systematical and automatic searching through
  formal methods.
• First specify the specs and potential
  capabilities of attackers in a formal language
  TLA (the Temporal Logic of Actions)
• Then model check for any possible attacks
• The formal analysis can also help guide fixing of
  the flaws
• Adaptive Intrusion Detection and Mitigation for
  WiMAX Networks (WAIDM)
• Could be differentiator for Motorolas 802.16
  products

6
Accomplishments This Year

• Most achieved with close interaction with
  Motorola liaisons
• Automatic vulnerability analysis
• Checked the initial ranging and authentication of
  WiMAX
• Found a potential vulnerability for ranging (but
  needs to change MAC)
• Published a joint paper with Judy Fu
• Automatic Vulnerability Checking of IEEE 802.16
  WiMAX Protocols through TLA, in Proc. of the
  Second Workshop on Secure Network Protocols
  (NPSec), 2006.
• Checking the mobile IPv6
• Find an easy attack to disable the route
  optimization !

7
Accomplishments This Year (II)

• Sketch-based online flow-level intrusion
  detection
• Mature and ready to be deployed
• Motorola liaisons are talking to various groups
  for commercialization
• E.g., recently talked to Joshua Brickel, John
  Bruner, and Ephraim Borow in MSG. Sketch can be
  used in our DoS attack solution for Verizon
  Wireless networks or may be used in SLA monitor.
• Automatic polymorphic worm signature generation
  systems for high-speed networks
• Fast, noise tolerant, and attack resilient
• Resulted a joint paper submission with Judy Zhi
  Fu
• Network-based and Attack-resilient Length
  Signature Generation for Zero-day Polymorphic
  Worms, submitted to USENIX Security Symposium
  2007.
• Patent under review by the patent committee of
  Motorola

8
Automatic Length Based Worm Signature Generation

• Majority of worms exploit buffer overflow
  vulnerabilities
• Worm packets have a particular field longer than
  normal
• Length signature generation
• Parse the traffic to different fields
• Find abnormally long field
• Apply a three-step algorithm to determine a
  length signature
• Length based signature is hard to evade if the
  attacker has to overflow the buffer.

9
Length Based Signature Generator
10
Evaluation of Signature Quality

• Seven polymorphic worms based on real-world
  vulnerabilities and exploits from
  securityfocus.com
• Real traffic collected at two gigabit links of a
  campus edge routers in 2006 (40GB for evaluation)
• Another 123GB SPAM dataset

11
Accomplishments on Publications

• Four conference and one journal papers, and one
  tech report
• Hop ID A Virtual Coordinate based Routing for
  Sparse Mobile Ad Hoc Networks, to appear in IEEE
  Transaction on Mobile Computing.
• A Suite of Schemes for User-level Network
  Diagnosis without Infrastructure, to appear in
  the Proc. of IEEE INFOCOM, 2007 (18).
• Internet Cache Pollution Attacks and
  Countermeasures, in Proc. of the 14th IEEE
  International Conference on Network Protocols
  (ICNP), Nov. 2006 (14).
• Automatic Vulnerability Checking of IEEE 802.16
  WiMAX Protocols through TLA, in Proc. of the
  Second Workshop on Secure Network Protocols
  (NPSec) (33).
• A DoS Resilient Flow-level Intrusion Detection
  Approach for High-speed Networks, in Proc. of
  IEEE International Conference on Distributed
  Computing Systems (ICDCS), 2006 (14).
• Abstraction Techniques for Model-Checking
  Parameterized Systems, EECS Tech. Report, 2007.

12
Students Involved

• PhD students
• Yan Gao, Zhichun Li, Yao Zhao (all in their 3rd
  years),
• Nicos Liveris (4th year)
• MS students
• Prasad Narayana (graduating, will work for
  Motorola soon)
• Sagar Vemuri (1st year)
• Undergraduate student
• Coh Yoshizaki

13
Outline

• Threat Landscape and Motivation
• Our approach
• Accomplishment
• Achievement highlight a Mobile IPv6 vulnerability

14
Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer
• Enables IP-based communication to continue even
  when the host moves from one network to another
• Host movement is completely transparent to Layer
  4 and above

15
Mobile IPv6 - Entities

• Mobile Node (MN) Any IP host which is mobile
• Correspondent Node (CN) Any IP host
  communicating with the MN
• Home Agent (HA) A host/router in the Home
  network which
• Is always aware of MNs current location
• Forwards any packet destined to MN
• Assists MN to optimize its route to CN

16
Mobile IPv6 - Process

• (Initially) MN is in home network and connected
  to CN
• MN moves to a foreign network
• Registers new address with HA by sending Binding
  Update (BU) and receiving Binding Ack (BA)
• Performs Return Routability to optimize route to
  CN by sending HoTI, CoTI and receiving HoT, CoT
• Registers with CN using BU and BA

17
Mobile IPv6 in Action
Home Network
HoT
Internet
Correspondent
Mobile
Node
Home Agent
Node
HoTI
BA
CoT
HoTI
BA

CoTI
HoT
BU
BU
Foreign Network
18
Mobile IPv6 Vulnerability

• Nullifies the effect of Return Routability
• BA with status codes 136, 137 and 138 unprotected
• Man-in-the-middle attack
• Sniffs BU to CN
• Injects BA to MN with one of status codes above
• MN either retries RR or gives up route
  optimization and goes through HA

19
MIPv6 Attack In Action
MN
HA
AT
CN
Start
H
o
T
I
Return
o
C
T
I
Routability
H
o
T
I
T
o
C
o
T
H
T
o
H
Bind Update (Sniffed by AT along the way)






Bind Ack Spoofed by AT


Routability
Bind Ack

Bind Ack
20
MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication
  through sub-optimal routes
• Possible overloading of HA and Home Link
• Service disruption Communication between two
  mobile entities can be disrupted if they were
  already using optimized route

21
Conclusions

• Vulnerability analysis of 802.16e specs (WiMAX)
  and mobile IP protocols
• Adaptive Intrusion Detection and Mitigation for
  WiMAX Networks (WAIDM)

Thank You !
22
Existing WLAN Security Technology Insufficient
for WiMAX Networks

• Cryptography and authentication cannot prevent
  attacks from penetrating WiMAX networks
• Viruses, worms, DoS attacks, etc.
• 802.16 IDS development can potentially lead to
  critical gain in market share
• All major WLAN vendors integrated IDS into
  products
• Limitations of existing IDSes (including WIDS)
• Mostly host-based, and not scalable to high-speed
  networks
• Mostly simple signature based, cannot deal with
  unknown attacks, polymorphic worms
• Mostly ignore dynamics and mobility of wireless
  networks

23
Deployment of WAIDM

• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of
  global scale attacks
• Could be differentiator for Motorolas 802.16
  products

Users
Internet
Users
WAIDM
system
Internet
802.16
scan
802.16 BS
port
BS
Switch/
Switch/
BS controller
BS controller
802.16
802.16 BS
BS
Users
Users
(a)
(b)
WAIDM deployed
Original configuration