[ntp:hackers] Remote operating system fingerprinting via clock skew
detection...
Brad Knowles
brad at stop.mail-abuse.org
Wed Mar 2 03:23:05 PST 2005
Folks,
Here's an interesting paper that has just been announced on the
NANOG mailing list, regarding the ability to fingerprint remote
systems according to their clock skew. Interestingly, because the
OSes in question do not tie their TCP timestamp to their system
clock, even though NTP may correct the system clock (and therefore
make it difficult to use ICMP Timestamp Request packets to actively
fingerprint systems), the systems are still vulnerable to
fingerprinting passively and semi-passively.
If anyone here knows of anyone involved in doing TCP stack coding
for any OS (especially including Linux, FreeBSD, OpenBSD, MacOS X,
Solaris, etc...), now would be a good time to talk to your buddies
about resolving the problem of the TCP timestamp clock skew being
disconnected from the corrections we apply to the system clock.
Once that problem is resolved, everything else should just be a
matter of turning on ntpd by default, and making sure that the
default configuration is reasonable.
>Date: Tue, 1 Mar 2005 17:43:09 -0800
>From: k claffy
>To: nanog at nanog.org
>Subject: not operationally relevant until it's used in the wild
>
>
>
>but in the interest of full and early disclosure, etc
>k
>
>
>----- Forwarded message from k claffy <kc at caida.org> -----
>
> Date: Tue, 1 Mar 2005 17:34:27 -0800
> From: k claffy
> Subject: [Caida] yoshi's study on remote physical device fingerprinting
> To: caida at caida.org
>
>
>
>
> Yoshi Kohno (doctoral student in UCSD's CSE program) just
> released an eye-opening paper demonstrating methods for remotely
> fingerprinting a physical device without any modification to
> or known cooperation from the fingerprintee. At a high level,
> these techniques exploit microscopic deviations in device
> hardware: clock skews. Specifically, they exploit the fact
> that most modern TCP stacks implement the TCP Timestamps Option
> (RFC 1323). When this option is enabled, outgoing TCPs packets
> leak information about the sender's clock. Yoshi's results
> further confirm a fundamental reason why securing real-world
> systems is so difficult: it is possible to extract security-relevant
> signals from data canonically considered to be noise. The
> equally disturbing corrolary is that there remain fundamental
> properties of networks that we have yet to integrate into our
> security models.
>
>
> please don't forward to any bad guys. </cough>
> k
>
>
>
> paper and abstract available here:
> =======================================================
> <http://www.cse.ucsd.edu/users/tkohno/papers/PDF/>
> [mirror site]
> <http://www.caida.org/outreach/papers/2005/fingerprinting/>
>
>
> Our abstract: We introduce the area of remote physical device
> fingerprinting, or fingerprinting a physical device, as opposed to an
> operating system or class of devices, remotely, and without the
> fingerprinted device's known cooperation. We accomplish this goal by
> exploiting small, microscopic deviations in device hardware: clock
> skews. Our techniques do not require any modification to the
> fingerprinted devices. Our techniques report consistent measurements
> when the measurer is thousands of miles, multiple hops, and tens of
> milliseconds away from the fingerprinted device, and when the
> fingerprinted device is connected to the Internet from different
> locations and via different access technologies. Further, one can
> apply our passive and semi-passive techniques when the fingerprinted
> device is behind a NAT or firewall, and also when the device's system
> time is maintained via NTP or SNTP. One can use our techniques to
> obtain information about whether two devices on the Internet, possibly
> shifted in time or IP addresses, are actually the same physical device.
> Example applications include: computer forensics; tracking, with some
> probability, a physical device as it connects to the Internet from
> different public access points; counting the number of devices behind a
> NAT even when the devices use constant or random IP IDs; remotely
> probing a block of addresses to determine if the addresses correspond
> to virtual hosts, e.g., as part of a virtual honeynet; and
> unanonymizing anonymized network traces.
>
> _______________________________________________
> Caida mailing list
> Caida at caida.org
> http://rommie.caida.org/mailman/listinfo/caida
>
>----- End forwarded message -----
>
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the hackers
mailing list