Cross layer attacks and how to use them (for DNS Cache Poisoning, Device Tracking and More)

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers"in the Linux kernel. We focused on three consumers at the network level - the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks"against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol.Using this approach we can mount a very efficient DNS cache poisoning attack against Linux. We collect TCP/IPv6 flow label values, or UDP source ports, or TCP/IPv4 IP ID values, reconstruct the internal PRNG state, then predict an outbound DNS query UDP source port, which speeds up the attack by a factor of x3000 to x6000. This attack works remotely, but can also be mounted locally, across Linux users and across containers, and (depending on the stub resolver) can poison the cache with an arbitrary DNS record. Additionally, we can identify and track Linux and Android devices - we collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, reconstruct the PRNG internal state and correlate this new state to previously extracted PRNG states to identify the same device.

Original languageEnglish
Title of host publicationProceedings - 2021 IEEE Symposium on Security and Privacy, SP 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1179-1196
Number of pages18
ISBN (Electronic)9781728189345
DOIs
StatePublished - May 2021
Event42nd IEEE Symposium on Security and Privacy, SP 2021 - Virtual, San Francisco, United States
Duration: 24 May 202127 May 2021

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2021-May

Conference

Conference42nd IEEE Symposium on Security and Privacy, SP 2021
Country/TerritoryUnited States
CityVirtual, San Francisco
Period24/05/2127/05/21

Keywords

  • Android
  • Cross layer attack
  • DNS cache poisoning
  • Device tracking
  • Flow label
  • IP ID
  • Kernel
  • Linux
  • PRNG
  • Psuedo random number generator
  • Stub resolver
  • TCP
  • UDP

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Cross layer attacks and how to use them (for DNS Cache Poisoning, Device Tracking and More)'. Together they form a unique fingerprint.

Cite this