Top

Published in:

2018 | OriginalPaper | Chapter

Extending Automated Protocol State Learning for the 802.11 4-Way Handshake

Authors : Chris McMahon Stone, Tom Chothia, Joeri de Ruiter

Published in: Computer Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We show how state machine learning can be extended to handle time out behaviour and unreliable communication mediums. This enables us to carry out the first fully automated analysis of 802.11 4-Way Handshake implementations. We develop a tool that uses our learning method and apply this to 7 widely used Wi-Fi routers, finding 3 new security critical vulnerabilities: two distinct downgrade attacks and one router that can be made to leak some encrypted data to an attacker before authentication.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Beneath the Bonnet: A Breakdown of Diagnostic Security

next chapter Automatic Detection of Various Malicious Traffic Using Side Channel Features on TCP Packets

Available only for authorised users

https://chrismcmstone.github.io/wifi-learner/.

Retransmissions definitions can be customised. For the purpose of testing Wi-Fi, we define a retransmission to be an identical message as before, with the exception of the Replay Counter value.

http://www.secdev.org/projects/scapy/.

https://chrismcmstone.github.io/wifi-learner/.

Banks, G., Cova, M., Felmetsger, V., Almeroth, K., Kemmerer, R., Vigna, G.: SNOOZE: toward a stateful NetwOrk prOtocol fuzZEr. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 343–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11836810_25CrossRef

Butti, L., Tinnes, J.: Discovering and exploiting 802.11 wireless driver vulnerabilities. J. Comput. Virol. 4(1), 25–37 (2008)CrossRef

Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., Pretschner, A. (eds.): Model-Based Testing of Reactive Systems. LNCS, vol. 3472. Springer, Heidelberg (2005). https://doi.org/10.1007/b137241CrossRefMATH

Vanhoef, M., Schepers, D., Piessens, F.: Discovering logical vulnerabilities in the Wi-Fi handshake using model-based testing. In: Asia Conference on Computer and Communications Security. ACM (2017)

Aarts, F., de Ruiter, J., Poll, E.: Formal models of bank cards for free. In: Sixth International Conference on Software Testing, Verification and Validation Workshops, ICSTW. IEEE (2013)

Fiterău-Broştean, P., Lenaerts, T., Poll, E., de Ruiter, J., Vaandrager, F., Verleg, P.: Model learning and model checking of SSH implementations. In: 24th International SPIN Symposium on Model Checking of Software, SPIN 2017 (2017)

de Ruiter, J., Poll, E.: Protocol state fuzzing of TLS implementations. In: USENIX Security, vol. 15 (2015)

Grinchtein, O., Jonsson, B., Leucker, M.: Learning of event-recording automata. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT 2004. LNCS, vol. 3253, pp. 379–395. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30206-3_26CrossRefMATH

Fiterău-Broştean, P., Janssen, R., Vaandrager, F.: Combining model learning and model checking to analyze TCP implementations. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 454–471. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41540-6_25CrossRef

10.

Tappler, M., Aichernig, B.K., Bloem, R.: Model-based testing IoT communication via active automata learning. In: 2017 IEEE International Conference on Software Testing, Verification and Validation, ICST 2017, pp. 276–287 (2017)

11.

Raffelt, H., Steffen, B., Berg, T., Margaria, T.: LearnLib: a framework for extrapolating behavioral models. Int. J. Softw. Tools Technol. Transf. (STTT) 11(5), 393–407 (2009)CrossRef

12.

Isberner, M., Howar, F., Steffen, B.: The open-source LearnLib. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 487–495. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_32CrossRef

13.

Margaria, T., Niese, O., Raffelt, H., Steffen, B.: Efficient test-based model generation for legacy reactive systems. In: Ninth IEEE International High-Level Design Validation and Test Workshop, pp. 95–100. IEEE (2004)

14.

Janssen, M.: Combining learning with fuzzing for software deobfuscation (2016)

15.

Aarts, F., Schmaltz, J., Vaandrager, F.: Inference and abstraction of the biometric passport. In: Margaria, T., Steffen, B. (eds.) ISoLA 2010. LNCS, vol. 6415, pp. 673–686. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16558-0_54CrossRef

16.

Jonsson, B., Vaandrager, F.: Learning mealy machines with timers. http://www.sws.cs.ru.nl/publications/papers/fvaan/MMT/

17.

Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45537-X_1CrossRefMATH

18.

Tews, E., Beck, M.: Practical attacks against WEP and WPA. In: Proceedings of the Second ACM Conference on Wireless Network Security, pp. 79–86. ACM (2009)

19.

He, C., Mitchell, J.C.: Analysis of the 802.11 i 4-way handshake. In: Proceedings of the 3rd ACM Workshop on Wireless Security, pp. 43–50. ACM (2004)

20.

Mitchell, C.: Security analysis and improvements for IEEE 802.11 i. In: 12th Annual Network and Distributed System Security Symposium, NDSS (2005)

21.

He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A modular correctness proof of IEEE 802.11 i and TLS. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 2–15. ACM (2005)

22.

Wang, L., Srinivasan, B.: Analysis and improvements over DoS attacks against IEEE 802.11 i standard. In: 2nd Conference on Networks Security Wireless Communications and Trusted Computing, NSWCTC. IEEE (2010)

23.

Vanhoef, M., Piessens, F.: Predicting, decrypting, and abusing WPA2/802.11 group keys. In: USENIX Security Symposium (2016)

24.

Mendonça, M., Neves, N.: Fuzzing Wi-Fi drivers to locate security vulnerabilities. In: 7th Dependable Computing Conference, EDCC. IEEE (2008)

25.

Vanhoef, M., Piessens, F.: Key reinstallation attacks: Forcing nonce reuse in WPA2. In: 24th ACM Conference on Computer and Communication Security (2017)

26.

Group, I.W., et al.: IEEE standard for information technology–Telecommunications and information exchange between systems–Local and metropolitan area networks–Specific requirements–Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. IEEE Std 802(11) (2010)

27.

Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)MathSciNetCrossRef

28.

Niese, O.: An integrated approach to testing complex systems. Ph.D. thesis. Universität Dortmund (2003)

29.

Shahbaz, M., Groz, R.: Inferring mealy machines. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 207–222. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05089-3_14CrossRef

30.

Raffelt, H., Steffen, B., Berg, T.: LearnLib: a library for automata learning and experimentation. In: Proceedings of the 10th International Workshop on Formal Methods for Industrial Critical Systems. ACM (2005)

31.

Aarts, F., Vaandrager, F.: Learning I/O automata. In: Gastin, P., Laroussinie, F. (eds.) CONCUR 2010. LNCS, vol. 6269, pp. 71–85. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15375-4_6CrossRef

32.

Chow, T.S.: Testing software design modeled by finite-state machines. IEEE Trans. Softw. Eng. 3, 178–187 (1978)CrossRef

33.

Chothia, T., de Ruiter, J., Smyth, B.: Modeling and analysis of a hierarchy of distance bounding attacks. In: 27th USENIX Security Symposium, USENIX Security 2018. USENIX Association, Baltimore (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/chothia

Title: Extending Automated Protocol State Learning for the 802.11 4-Way Handshake
Authors: Chris McMahon Stone
Tom Chothia
Joeri de Ruiter
Publisher: Springer International Publishing
Book: Computer Security
Print ISBN: 978-3-319-99072-9

Electronic ISBN: 978-3-319-99073-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-99073-6_16

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner