From IP ID to device ID and KASLR bypass

Amit Klein; Benny Pinkas

From IP ID to device ID and KASLR bypass

Amit Klein, Benny Pinkas

Department of Computer Science

Bar-Ilan University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR. Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.

Original language	English
Title of host publication	Proceedings of the 28th USENIX Security Symposium
Pages	1063-1080
Number of pages	18
ISBN (Electronic)	9781939133069
State	Published - 2019
Event	28th USENIX Security Symposium - Santa Clara, United States Duration: 14 Aug 2019 → 16 Aug 2019

Publication series

Name	Proceedings of the 28th USENIX Security Symposium

Conference

Conference	28th USENIX Security Symposium
Country/Territory	United States
City	Santa Clara
Period	14/08/19 → 16/08/19

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{869c916560de4d2fb726c8088c2fdc0d,

title = "From IP ID to device ID and KASLR bypass",

abstract = "IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR. Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.",

author = "Amit Klein and Benny Pinkas",

year = "2019",

language = "الإنجليزيّة",

series = "Proceedings of the 28th USENIX Security Symposium",

pages = "1063--1080",

booktitle = "Proceedings of the 28th USENIX Security Symposium",

}

TY - GEN

T1 - From IP ID to device ID and KASLR bypass

AU - Klein, Amit

AU - Pinkas, Benny

PY - 2019

Y1 - 2019

N2 - IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR. Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.

AB - IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR. Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.

UR - http://www.scopus.com/inward/record.url?scp=85076381075&partnerID=8YFLogxK

M3 - منشور من مؤتمر

T3 - Proceedings of the 28th USENIX Security Symposium

SP - 1063

EP - 1080

BT - Proceedings of the 28th USENIX Security Symposium

T2 - 28th USENIX Security Symposium

Y2 - 14 August 2019 through 16 August 2019

ER -

From IP ID to device ID and KASLR bypass

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this