Upload
truongxuyen
View
223
Download
6
Embed Size (px)
Citation preview
Toolkit for vulnerabilityassessment in 3G networks
Kameswari KotapatiThe Pennsylvania State University
University Park PA 16802
Contents• Motivation• Solution Overview• Methodology Overview
• 3G Attack Graph• Attack Scenario• SDL• Toolkit Architecture• Algorithms• Attack Categories
• Sample results• Issues and Future Work
• Previously telecom network (2G, 3G) signalingand control (SS7) is closed, future networks arenot
• Trend• Telecom networks are moving toward IP for control
and services• Open interfaces for service introduction• Interworking between networks requiredOpen interfaces CROSS-NETWORK
SERVICES CROSS-INSFRASTRUCTURECYBER ATTACKS INCREASEDVULNERABILITY of 3G data and 3G servers
Interworking Architecture ⇒ IncreasedVulnerability
Evolution of Wireless Networks
2G Cellular
Home LocationRegisters
Mobile SwitchingCenters
ClosedControlNetwork
(SS7)
3G Cellular/All-IP
HomeSubscriber
Servers
InternetTelephony
Servers
IPNetwork
MediaGateways
Next Generation
Servers
2G Cellular3G Cellular/
All-IP
IP Services
Closed NetworkAttacks are possible, but rareNetwork are now opening up
Usage of IP opens uppossible attacks Servicesstill somewhat limited
Two new dangers:Very open environmentPassage into SS7 network
Realistic Future Network Environment
CDMA2000CircuitAccess
IP Access
ANSI-41 CoreANSI-41 Core
UMTSUMTS CoreCore
IP AccessIP AccessSIP
Server
3G-IP
UMTS
UMTS-IP
WI-FI/802.16
BS
BS
BS
BS
BS
CircuitAccess
IP Access
MSC/VLR
MSC/VLR
HLR
HLR
IP CoreIP Core
SIPServer
SIP Server
Services in all-IP domain
Interworking between networks
Cross Infrastructure Cyber Attacks• Cross Infrastructure Cyber Attacks may be defined
as attacks on the wireless telecommunicationnetwork from the IP domain.
• Cascading effect may be defined as propagation ofthe attack across network elements
3G Network IP Network
ServerServer3G
Entity
Attack
AttackAttack
Entry Point
Motivation
•Open Interfaces•Increased Usage•Heavy Reliance
3G Networks =Attractivetargets
Need : 3G Network VulnerabilityAssessment Techniques
Why not pre-existing tools ?
• They find physical configurationvulnerabilities But Every 3G deploymenthas different physical configuration.
• Does not identify cascading effects.• Lacks end-to-end vulnerability assessment
across network components.
Why not Manual vulnerabilityAssessment ?
• Complexity of 3G Network• Each service comprises of 100’s of servers.• Each server comprises of millions of state
machines.• Hence not feasible
IP Network
Gateway
Application
Attack
EffectEffectMSC/VLR
GMSC
App Server
3G Network
HLR
Effect
Cellular Network Vulnerability AssessmentToolkit - CAT
• Goal: Generate attack graphs that capture attackpropagation in 3G networks
• Output• attack graph: progression across network• traces seed propagation through the network and impact on
services
• User Input: 3G data parameters• seeds: data that is corrupted by an attacker• goals: data that is derived incorrectly
• System input• Freely available 3GPP Technical telecommunication specification
written in Specification and Description Language (SDL)(http://www.3gpp.org)
• Graphical language• Developed by the International
Telecommunication Union (ITU).• Designated as the formal description language for
specifying the functional behavior oftelecommunication systems by major standardsbodies.
• Object-oriented.• Specification of event-driven, real-time,
concurrent distributed systems interacting withdiscrete signals.
• SDL specifications do not indicate animplementation structure.
Fig b: SDL Fragment ofProcess Provide RoamingNumber in VLR
6. Waiting ForRoaming #
Provide RoamingNumber
Provide RoamingNumber ACK
•Convert CSBC to basic service•IMSI known in VLR•Allocate MSRN•Store compatibility Information•Store Alerting Pattern•Create IMSI Record•Allocate LMSI
Idle
Fig a: SDLGraphicalRepresentativeSyntax
5.State Name
2.Input Signal Name
3.Transition Action
4.Output SignalName
1.State Name
SDL
GMSC HLR VLR MSC2.Send Rout Info (SRI)
3. Provide Roam Num (PRN)
Home Network
4.Provide Roam Num Ack
(PRN_ACK)
5. Send Rout Info Ack (SRI_ACK)
6.Initial Address Message (IAM)
7.SIFIC
8.Page MS9. Page
1.InitialAddress
Message (IAM)
Visiting Network
Air Interface
Call delivery Service
Telecommunication SpecificationsSDL Database
IntegratedData Structure
Analysis Engine
GUI
AttackGraphOutput
User Input
Seeds Goal
ExploreUsingCAT
- Forward
-Mid-Point
MaximumView
FinalView
Prune
Output
b. FunctionalArchitecturea. Overall Architecture of CAT
Architecture of CAT
3G Attack Graph• Nodes
• Condition• Action• Goal
• Edges• Network Transitions• Adversary Transitions
• Tree Number• Represents tree to which node belongs.• Nodes at a level with same tree number represent
AND nodes.
Algorithm Principles• Condition nodes may be constructed if the seed
occurs in the message or actions.• When the seed occur in incoming messages and
corresponding 3G servers = corruption spreadsfrom the message to the block
• When a seed occur in a 3G server with otherseeds/goal = corruption spreads from the seed toother seeds/goal
• When the corrupt seed occurs in a 3G server andoutgoing message = corruption spreads from theblock to other block
Attack Classification• 1-Level Indirect attacks: corruption of Seed1
leads to corruption of the goal hence reachingthe goal. (Seed1 Goal)
• N-level indirect attacks: Given any ’k’ seedsSeed1, Seed2, ..., Seedk and Goal, corruption ofSeed1 leads to corruption of some seed Seedi andso on until the Goal is corrupt. (Seed1 …Seedi Seedj Seedn … Goal)
• Collaborative attack: a single seed cannot reachthe Goal but the corruption of multiple seedsallows for reaching of the Goal i.e. Seed1 &Seed2 Goal
Issues with SDL• Data links in messages
• SDL may not explicitly show data relations inrequest/response pairs
• Data dependencies in actions• Details (input data output data) of
subroutines may not be specified• Relation between input and output data items
may not be specified.