Papers
Topics
Authors
Recent
2000 character limit reached

Segment-Based Formal Verification of WiFi Fragmentation and Power Save Mode

Published 13 Dec 2023 in cs.CR | (2312.07877v2)

Abstract: The IEEE 802.11 family of standards, better known as WiFi, is a widely used protocol utilized by billions of users. Previous works on WiFi formal verification have mostly focused on the four-way handshake and other security aspects. However, recent works have uncovered severe vulnerabilities in functional aspects of WiFi, which can cause information leakage for billions of devices. No formal analysis method exists able to reason on the functional aspects of the WiFi protocol. In this paper, we take the first steps in addressing this gap and present an extensive formal analysis of the functional aspects of the WiFi protocol, more specifically, the fragmentation and the power-save-mode process. To achieve this, we design a novel segment-based formal verification process and introduce a practical threat model (i.e. MAC spoofing) in Tamarin to reason about the various capabilities of the attacker. To this end, we verify 68 properties extracted from WiFi protocol specification, find 3 vulnerabilities from the verification, verify 3 known attacks, and discover 2 new issues. These vulnerabilities and issues affect 14 commercial devices out of 17 tested cases, showing the prevalence and impact of the issues. Apart from this, we show that the proposed countermeasures indeed are sufficient to address the issues. We hope our results and analysis will help vendors adopt the countermeasures and motivate further research into the verification of the functional aspects of the WiFi protocol.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (43)
  1. Android Developers “Android Debug Bridge (adb)”, 2023 URL: https://developer.android.com/tools/adb
  2. Jon Barwise “An introduction to first-order logic” In Studies in Logic and the Foundations of Mathematics 90 Elsevier, 1977, pp. 5–46
  3. “A Formal Analysis of 5G Authentication” In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18 Toronto, Canada: Association for Computing Machinery, 2018, pp. 1383–1396 DOI: 10.1145/3243734.3243846
  4. “A concrete security treatment of symmetric encryption” In Proceedings 38th Annual Symposium on Foundations of Computer Science, 1997, pp. 394–403 DOI: 10.1109/SFCS.1997.646128
  5. Efstratios Chatzoglou, Georgios Kambourakis and Constantinos Kolias “How is your Wi-Fi connection today? DoS attacks on WPA3-SAE” In Journal of Information Security and Applications 64 Elsevier, 2022, pp. 103058
  6. “SAPIC+: protocol verifiers of the world, unite!” In 31st USENIX Security Symposium (USENIX Security 22) Boston, MA: USENIX Association, 2022, pp. 3935–3952 URL: https://www.usenix.org/conference/usenixsecurity22/presentation/cheval
  7. Mauro Conti, Nicola Dragoni and Viktor Lesyk “A survey of man in the middle attacks” In IEEE communications surveys & tutorials 18.3 IEEE, 2016, pp. 2027–2051 DOI: 10.1109/COMST.2016.2548426
  8. “Component-based formal analysis of 5G-AKA: Channel assumptions and session confusion” In Network and Distributed System Security Symposium (NDSS), 2019 Internet Society
  9. Cas Cremers, Benjamin Kiesl and Niklas Medinger “A Formal Analysis of IEEE 802.11’s WPA2: Countering the Kracks Caused by Cracking the Counters” In 29th USENIX Security Symposium (USENIX Security 20) USENIX Association, 2020, pp. 1–17 URL: https://www.usenix.org/conference/usenixsecurity20/presentation/cremers
  10. “On the security of public key protocols” In IEEE Transactions on information theory 29.2 IEEE, 1983, pp. 198–208
  11. “Multiset rewriting and the complexity of bounded security protocols” In Journal of Computer Security 12.2 IOS Press, 2004, pp. 247–311
  12. “Formal Model Implementation and Attack Testing”, 2023 URL: https://github.com/Zilinlin/FunctionalWifiModelTesting
  13. “LTE-advanced: next-generation wireless broadband technology” In IEEE wireless communications 17.3 IEEE, 2010, pp. 10–22
  14. “Sequence number-based MAC address spoof detection” In Recent Advances in Intrusion Detection: 8th International Symposium, RAID 2005, Seattle, WA, USA, September 7-9, 2005. Revised Papers 8, 2006, pp. 309–329 Springer
  15. “A Survey of 5G Network: Architecture and Emerging Technologies” In IEEE Access 3, 2015, pp. 1206–1232 DOI: 10.1109/ACCESS.2015.2461602
  16. J.C. Haartsen “The Bluetooth radio system” In IEEE Personal Communications 7.1, 2000, pp. 28–36 DOI: 10.1109/98.824570
  17. “LTEInspector: A systematic approach for adversarial testing of 4G LTE” In Network and Distributed Systems Security (NDSS) Symposium 2018, 2018
  18. “5GReasoner: A property-directed security and privacy analysis framework for 5G cellular network protocol” In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 669–684
  19. “IEEE Standard for Information Technology–Telecommunications and Information Exchange between Systems - Local and Metropolitan Area Networks–Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications” In IEEE Std 802.11-2020 (Revision of IEEE Std 802.11-2016), 2021, pp. 1–4379 DOI: 10.1109/IEEESTD.2021.9363693
  20. “A comprehensive, formal and automated analysis of the EDHOC protocol” In USENIX Security’23-32nd USENIX Security Symposium, 2023
  21. Brian W Kernighan and Dennis M Ritchie “The M4 macro processor” Bell Laboratories Murray Hill, NJ, 1977
  22. Christopher P Kohlios and Thaier Hayajneh “A comprehensive attack flow model and security analysis for Wi-Fi and WPA3” In Electronics 7.11 MDPI, 2018, pp. 284
  23. “Kr00k: A serious vulnerability deep inside wi-fi encryption”, 2020 URL: https://www.eset.com/int/kr00k/
  24. “Principles and methods of testing finite state machines-a survey” In Proceedings of the IEEE 84.8, 1996, pp. 1090–1123 DOI: 10.1109/5.533956
  25. “Vwanalyzer: A systematic security analysis framework for the voice over wifi protocol” In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, 2022, pp. 182–195
  26. Songyi Liu “Mac spoofing attack detection based on physical layer characteristics in wireless networks” In 2019 IEEE International Conference on Computational Electromagnetics (ICCEM), 2019, pp. 1–3 IEEE
  27. “The TAMARIN prover for the symbolic analysis of security protocols” In Computer Aided Verification: 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings 25, 2013, pp. 696–701 Springer
  28. “Survey on wireless network security” In Archives of Computational Methods in Engineering Springer, 2021, pp. 1–20
  29. Tao Peng, Christopher Leckie and Kotagiri Ramamohanarao “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems” In ACM Comput. Surv. 39.1 New York, NY, USA: Association for Computing Machinery, 2007, pp. 3–es DOI: 10.1145/1216370.1216373
  30. “NAPman: Network-assisted power management for WiFi devices” In Proceedings of the 8th international conference on Mobile systems, applications, and services, 2010, pp. 91–106
  31. Domien Schepers, Aanjhan Ranganathan and Mathy Vanhoef “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues” In 32nd USENIX Security Symposium (USENIX Security 23), 2023
  32. Domien Schepers, Mathy Vanhoef and Aanjhan Ranganathan “A framework to test and fuzz wi-fi devices” In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2021, pp. 368–370
  33. “Formal Analysis and Patching of BLE-SC Pairing” In 32nd USENIX Security Symposium (USENIX Security 23) Anaheim, CA: USENIX Association, 2023, pp. 37–52 URL: https://www.usenix.org/conference/usenixsecurity23/presentation/shi-min
  34. Tcpdump Group “TCPDUMP”, 1999-2023 URL: https://www.tcpdump.org/
  35. “Practical attacks against WEP and WPA” In Proceedings of the second ACM conference on Wireless network security, 2009, pp. 79–86
  36. Mathy Vanhoef “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation” In 30th USENIX Security Symposium (USENIX Security 21) USENIX Association, 2021, pp. 161–178 URL: https://www.usenix.org/conference/usenixsecurity21/presentation/vanhoef
  37. “Advanced Wi-Fi Attacks Using Commodity Hardware” In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14 New Orleans, Louisiana, USA: Association for Computing Machinery, 2014, pp. 256–265 DOI: 10.1145/2664243.2664260
  38. “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17 Dallas, Texas, USA: Association for Computing Machinery, 2017, pp. 1313–1328 DOI: 10.1145/3133956.3134027
  39. “Release the Kraken: New KRACKs in the 802.11 Standard” In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18 Toronto, Canada: Association for Computing Machinery, 2018, pp. 299–314 DOI: 10.1145/3243734.3243807
  40. “Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd” In 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 517–533 DOI: 10.1109/SP40000.2020.00031
  41. “MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols” In 30th USENIX Security Symposium (USENIX Security 21) USENIX Association, 2021, pp. 4205–4222 URL: https://www.usenix.org/conference/usenixsecurity21/presentation/wang-qinying
  42. “Formal Model-Driven Discovery of Bluetooth Protocol Design Vulnerabilities” In 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 2285–2303 DOI: 10.1109/SP46214.2022.9833777
  43. “Static Evaluation of Noninterference Using Approximate Model Counting” In 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 514–528 DOI: 10.1109/SP.2018.00052

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up