Abstract
We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers"in the Linux kernel. We focused on three consumers at the network level - the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks"against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol.Using this approach we can mount a very efficient DNS cache poisoning attack against Linux. We collect TCP/IPv6 flow label values, or UDP source ports, or TCP/IPv4 IP ID values, reconstruct the internal PRNG state, then predict an outbound DNS query UDP source port, which speeds up the attack by a factor of x3000 to x6000. This attack works remotely, but can also be mounted locally, across Linux users and across containers, and (depending on the stub resolver) can poison the cache with an arbitrary DNS record. Additionally, we can identify and track Linux and Android devices - we collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, reconstruct the PRNG internal state and correlate this new state to previously extracted PRNG states to identify the same device.
Original language | English |
---|---|
Title of host publication | Proceedings - 2021 IEEE Symposium on Security and Privacy, SP 2021 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 1179-1196 |
Number of pages | 18 |
ISBN (Electronic) | 9781728189345 |
DOIs | |
State | Published - May 2021 |
Externally published | Yes |
Event | 42nd IEEE Symposium on Security and Privacy, SP 2021 - Virtual, San Francisco, United States Duration: 24 May 2021 → 27 May 2021 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2021-May |
ISSN (Print) | 1081-6011 |
Conference
Conference | 42nd IEEE Symposium on Security and Privacy, SP 2021 |
---|---|
Country/Territory | United States |
City | Virtual, San Francisco |
Period | 24/05/21 → 27/05/21 |
Bibliographical note
Publisher Copyright:© 2021 IEEE.
Keywords
- Android
- Cross layer attack
- DNS cache poisoning
- Device tracking
- Flow label
- IP ID
- Kernel
- Linux
- PRNG
- Psuedo random number generator
- Stub resolver
- TCP
- UDP