not operationally relevant until it's used in the wild
k claffy
kc at caida.org
Wed Mar 2 01:43:09 UTC 2005
but in the interest of full and early disclosure, etc
k
----- Forwarded message from k claffy <kc at caida.org> -----
Date: Tue, 1 Mar 2005 17:34:27 -0800
From: k claffy <kc at caida.org>
Subject: [Caida] yoshi's study on remote physical device fingerprinting
To: caida at caida.org
Cc: Tadayoshi Kohno <tkohno at cs.ucsd.edu>
Yoshi Kohno (doctoral student in UCSD's CSE program) just
released an eye-opening paper demonstrating methods for remotely
fingerprinting a physical device without any modification to
or known cooperation from the fingerprintee. At a high level,
these techniques exploit microscopic deviations in device
hardware: clock skews. Specifically, they exploit the fact
that most modern TCP stacks implement the TCP Timestamps Option
(RFC 1323). When this option is enabled, outgoing TCPs packets
leak information about the sender's clock. Yoshi's results
further confirm a fundamental reason why securing real-world
systems is so difficult: it is possible to extract security-relevant
signals from data canonically considered to be noise. The
equally disturbing corrolary is that there remain fundamental
properties of networks that we have yet to integrate into our
security models.
please don't forward to any bad guys. </cough>
k
paper and abstract available here:
=======================================================
<http://www.cse.ucsd.edu/users/tkohno/papers/PDF/>
[mirror site]
<http://www.caida.org/outreach/papers/2005/fingerprinting/>
Our abstract: We introduce the area of remote physical device
fingerprinting, or fingerprinting a physical device, as opposed to an
operating system or class of devices, remotely, and without the
fingerprinted device's known cooperation. We accomplish this goal by
exploiting small, microscopic deviations in device hardware: clock
skews. Our techniques do not require any modification to the
fingerprinted devices. Our techniques report consistent measurements
when the measurer is thousands of miles, multiple hops, and tens of
milliseconds away from the fingerprinted device, and when the
fingerprinted device is connected to the Internet from different
locations and via different access technologies. Further, one can
apply our passive and semi-passive techniques when the fingerprinted
device is behind a NAT or firewall, and also when the device's system
time is maintained via NTP or SNTP. One can use our techniques to
obtain information about whether two devices on the Internet, possibly
shifted in time or IP addresses, are actually the same physical device.
Example applications include: computer forensics; tracking, with some
probability, a physical device as it connects to the Internet from
different public access points; counting the number of devices behind a
NAT even when the devices use constant or random IP IDs; remotely
probing a block of addresses to determine if the addresses correspond
to virtual hosts, e.g., as part of a virtual honeynet; and
unanonymizing anonymized network traces.
_______________________________________________
Caida mailing list
Caida at caida.org
http://rommie.caida.org/mailman/listinfo/caida
----- End forwarded message -----
More information about the NANOG
mailing list