[ntp:hackers] Remote operating system fingerprinting via clock skew detection...

Brad Knowles brad at stop.mail-abuse.org
Wed Mar 2 03:23:05 PST 2005


Folks,

	Here's an interesting paper that has just been announced on the 
NANOG mailing list, regarding the ability to fingerprint remote 
systems according to their clock skew.  Interestingly, because the 
OSes in question do not tie their TCP timestamp to their system 
clock, even though NTP may correct the system clock (and therefore 
make it difficult to use ICMP Timestamp Request packets to actively 
fingerprint systems), the systems are still vulnerable to 
fingerprinting passively and semi-passively.

	If anyone here knows of anyone involved in doing TCP stack coding 
for any OS (especially including Linux, FreeBSD, OpenBSD, MacOS X, 
Solaris, etc...), now would be a good time to talk to your buddies 
about resolving the problem of the TCP timestamp clock skew being 
disconnected from the corrections we apply to the system clock.


	Once that problem is resolved, everything else should just be a 
matter of turning on ntpd by default, and making sure that the 
default configuration is reasonable.



>Date: Tue, 1 Mar 2005 17:43:09 -0800
>From: k claffy
>To: nanog at nanog.org
>Subject: not operationally relevant until it's used in the wild
>
>
>
>but in the interest of full and early disclosure, etc
>k
>
>
>----- Forwarded message from k claffy <kc at caida.org> -----
>
>   Date: Tue, 1 Mar 2005 17:34:27 -0800
>   From: k claffy
>   Subject: [Caida] yoshi's study on remote physical device fingerprinting
>   To: caida at caida.org
>
>
>
>
>   Yoshi Kohno (doctoral student in UCSD's CSE program) just
>   released an eye-opening paper demonstrating methods for remotely
>   fingerprinting a physical device without any modification to
>   or known cooperation from the fingerprintee.  At a high level,
>   these techniques exploit microscopic deviations in device
>   hardware: clock skews.  Specifically, they exploit the fact
>   that most modern TCP stacks implement the TCP Timestamps Option
>   (RFC 1323).  When this option is enabled, outgoing TCPs packets
>   leak information about the sender's clock.  Yoshi's results
>   further confirm a fundamental reason why securing real-world
>   systems is so difficult: it is possible to extract security-relevant
>   signals from data canonically considered to be noise. The
>   equally disturbing corrolary is that there remain fundamental
>   properties of networks that we have yet to integrate into our
>   security models.
>
>
>   please don't forward to any bad guys.  </cough>
>   k
>
>
>
>   paper and abstract available here:
>   =======================================================
>   	 <http://www.cse.ucsd.edu/users/tkohno/papers/PDF/>
>   	[mirror site]
>            <http://www.caida.org/outreach/papers/2005/fingerprinting/>
>
>
>     Our abstract:  We introduce the area of remote physical device
>     fingerprinting, or fingerprinting a physical device, as opposed to an
>     operating system or class of devices, remotely, and without the
>     fingerprinted device's known cooperation.  We accomplish this goal by
>     exploiting small, microscopic deviations in device hardware: clock
>     skews.  Our techniques do not require any modification to the
>     fingerprinted devices.  Our techniques report consistent measurements
>     when the measurer is thousands of miles, multiple hops, and tens of
>     milliseconds away from the fingerprinted device, and when the
>     fingerprinted device is connected to the Internet from different
>     locations and via different access technologies.  Further, one can
>     apply our passive and semi-passive techniques when the fingerprinted
>     device is behind a NAT or firewall, and also when the device's system
>     time is maintained via NTP or SNTP.  One can use our techniques to
>     obtain information about whether two devices on the Internet, possibly
>     shifted in time or IP addresses, are actually the same physical device.
>      Example applications include: computer forensics; tracking, with some
>     probability, a physical device as it connects to the Internet from
>     different public access points; counting the number of devices behind a
>     NAT even when the devices use constant or random IP IDs; remotely
>     probing a block of addresses to determine if the addresses correspond
>     to virtual hosts, e.g., as part of a virtual honeynet; and
>     unanonymizing anonymized network traces.
>
>   _______________________________________________
>   Caida mailing list
>   Caida at caida.org
>   http://rommie.caida.org/mailman/listinfo/caida
>
>----- End forwarded message -----
>
-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the hackers mailing list